chore(deps): update searxng/searxng:latest docker digest to 9206e4c (#4793 )

chore(deps): update harbor.alexlebens.net/images/site-profile docker tag to v3.13.0 (#4791 )
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [harbor.alexlebens.net/images/site-profile](https://gitea.alexlebens.dev/alexlebens/site-profile) | minor | `3.12.1` → `3.13.0` | --- ### Release Notes <details> <summary>alexlebens/site-profile (harbor.alexlebens.net/images/site-profile)</summary> ### [`v3.13.0`](https://gitea.alexlebens.dev/alexlebens/site-profile/releases/tag/3.13.0) [Compare Source](https://gitea.alexlebens.dev/alexlebens/site-profile/compare/3.12.1...3.13.0) ##### Bug Fixes - change execution mode ([a6c889f](a6c889f76a)) ##### Features - add and update pre-commit ([148fe8e](148fe8eeff)) - add fallback ([787479e](787479e077)) - add fallback ([220c29f](220c29f4f7)) - add fallback to run animations on switch ([954112e](954112e30e)) - add semantic-release/npm ([91c9a4b](91c9a4bb91)) - change paths ([9319228](9319228ef6)) - consolidate css into tailwind ([dfeb181](dfeb181a1d)) - downgrade to astro 5 ([f35c73b](f35c73b028)) - move scripts to script folder ([641c7cb](641c7cb33f)) - refactor static paths and photoswipe on blog page, move script to base layout ([93a53ca](93a53cab3d)) - remove react ([e3179b0](e3179b0480)) - revert shiki css changes ([c4104a5](c4104a52d1)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: #4791 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
2026-03-16 23:02:46 +00:00 · 2026-03-16 17:59:28 +00:00 · 2026-03-16 16:03:10 +00:00 · 2026-03-16 15:54:02 +00:00 · 2026-03-16 15:27:26 +00:00 · 2026-03-16 05:14:58 +00:00
192 changed files with 2836 additions and 2500 deletions
--- a/.gitea/workflows/lint-test-docker.yaml
+++ b/.gitea/workflows/lint-test-docker.yaml
@@ -14,7 +14,7 @@ on:
      - 'hosts/**'
 env:
-  BASE_BRANCH: "origin/${{ gitea.base_ref }}"
+  BASE_BRANCH: "origin/${{ github.base_ref }}"
 jobs:
  lint-docker-compose:
@@ -36,19 +36,20 @@ jobs:
        id: branch-exists
        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
        run: |
-          if [ ${{ github.event_name == 'push' }} ]; then
+          if [ "${{ github.event_name }}" == "push" ]; then
            echo ">> Action is from a push event, will continue with linting"
          else
-            echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
+            echo ">> Branch ${{ github.base_ref }} exists, will continue with linting"
          fi
          echo ""
          echo "----"
-          echo "exists=true" >> $GITEA_OUTPUT
+          echo "exists=true" >> $GITHUB_OUTPUT
-      - name: Set up Node.js
+      - name: Set Up Node.js
        if: steps.branch-exists.outputs.exists == 'true'
        uses: actions/setup-node@v6
        with:
@@ -58,58 +59,48 @@ jobs:
        id: check-dir-changes
        if: steps.branch-exists.outputs.exists == 'true'
        run: |
          CHANGED_COMPOSE=()
          echo ">> Target branch for diff is: ${BASE_BRANCH}"
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            DIFF_TARGET="${BASE_BRANCH}"
            echo ""
            echo ">> Checking for changes in a pull request ..."
-            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
+
          else
            DIFF_TARGET="${{ github.event.before }}..HEAD"
            echo ""
            echo ">> Checking for changes from a push ..."
            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
          fi
          if [ -n "${GIT_DIFF}" ]; then
            echo ""
            echo ">> Changes detected:"
            echo "$GIT_DIFF"
            for path in $GIT_DIFF; do
              if echo "$path" | grep -q -E "hosts/[^/]+/[^/]+"; then
                echo ""
                echo ">> Adding path: $path"
                CHANGED_COMPOSE+=$(echo "$path")
                CHANGED_COMPOSE+=$(echo " ")
              fi
            done
          else
            echo ""
            echo ">> No changes detected"
          fi
          CHANGED_COMPOSE=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^hosts/[^/]+/[^/]+/" | cut -d/ -f1,2,3 | sort -u || true)
          if [ -n "${CHANGED_COMPOSE}" ]; then
            echo ""
            echo ">> Compose to Lint:"
-            echo "$(echo "${CHANGED_COMPOSE}" | sort -u)"
+            echo ""
            echo "${CHANGED_COMPOSE}"
            CHANGED_COMPOSE_CSV=$(echo "$CHANGED_COMPOSE" | paste -sd ',' -)
            echo ""
            echo "----"
-            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "changes-detected=true" >> $GITHUB_OUTPUT
-            echo "compose-dir<<EOF" >> $GITEA_OUTPUT
+            echo "compose-dir-csv=${CHANGED_COMPOSE_CSV}" >> $GITHUB_OUTPUT
-            echo "$(echo "${CHANGED_COMPOSE}" | sort -u)" >> $GITEA_OUTPUT
+            echo "compose-dir<<EOF" >> $GITHUB_OUTPUT
-            echo "EOF" >> $GITEA_OUTPUT
+            echo "${CHANGED_COMPOSE}" >> $GITHUB_OUTPUT
            echo "EOF" >> $GITHUB_OUTPUT
          else
            echo ""
            echo ">> Did not find any docker compose files to lint"
            echo ""
            echo "----"
-            echo "changes-detected=false" >> $GITEA_OUTPUT
+            echo "changes-detected=false" >> $GITHUB_OUTPUT
          fi
      - name: Lint Docker Compose
@@ -117,25 +108,27 @@ jobs:
        env:
          CHANGED_COMPOSE: ${{ steps.check-dir-changes.outputs.compose-dir }}
        run: |
-          echo ">> Running dclint on changed compose files:"
+          echo ">> Running dclint on changed compose files ..."
-          echo "$CHANGED_COMPOSE"
+
          for COMPOSE in $CHANGED_COMPOSE; do
            echo ">> Linting ${COMPOSE} ..."
            npx dclint ${COMPOSE}
          for compose in $CHANGED_COMPOSE; do
            echo ">> Linting $compose ..."
            npx dclint $compose
          done
          echo ""
          echo "----"
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: '${{ secrets.NTFY_URL }}'
          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Test Failure - Infrastructure'
+          title: 'Docker Compose Test Failure'
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
-          details: 'Docker linting on Pull Request for Infrastructure has failed!'
+          details: "Docker linting for compose dirs: ${{ steps.check-dir-changes.outputs.compose-dir-csv }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-docker-pull.yaml", "clear": true}]'
+          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
--- a/.gitea/workflows/lint-test-helm.yaml
+++ b/.gitea/workflows/lint-test-helm.yaml
@@ -15,11 +15,17 @@ on:
 env:
  CLUSTER: cl01tl
-  BASE_BRANCH: "origin/${{ gitea.base_ref }}"
+  BASE_BRANCH: "origin/${{ github.base_ref }}"
  # renovate: datasource=github-releases depName=yannh/kubeconform
  KUBECONFORM_VERSION: "v0.6.7"
 jobs:
  lint-helm:
    runs-on: ubuntu-js
    outputs:
      chart-dir: ${{ steps.check-dir-changes.outputs.chart-dir }}
      chart-dir-csv: ${{ steps.check-dir-changes.outputs.chart-dir-csv }}
      changes-detected: ${{ steps.check-dir-changes.outputs.changes-detected }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6
@@ -31,88 +37,91 @@ jobs:
        if: github.event_name == 'pull_request'
        uses: GuillaumeFalourd/branch-exists@v1.1
        with:
-          branch: ${{ gitea.base_ref }}
+          branch: ${{ github.base_ref }}
      - name: Report Branch Exists
        id: branch-exists
        if: github.event_name == 'push' || steps.check-branch-exists.outputs.exists == 'true' && github.event_name == 'pull_request'
        run: |
-          if [ ${{ github.event_name == 'push' }} ]; then
+          if [ "${{ github.event_name }}" == "push" ]; then
            echo ">> Action is from a push event, will continue with linting"
          else
-            echo ">> Branch ${{ gitea.base_ref }} exists, will continue with linting"
+            echo ">> Branch ${{ github.base_ref }} exists, will continue with linting"
          fi
          echo ""
          echo "----"
-          echo "exists=true" >> $GITEA_OUTPUT
+          echo "exists=true" >> $GITHUB_OUTPUT
-      - name: Set up Helm
+      - name: Set Up Helm
        if: steps.branch-exists.outputs.exists == 'true'
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
-          version: v3.19.2
+          # renovate: datasource=github-releases depName=helm/helm
          version: v4.1.3
          cache: true
      - name: Cache Helm Dependencies
        if: steps.branch-exists.outputs.exists == 'true'
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Check Directories for Changes
        id: check-dir-changes
        if: steps.branch-exists.outputs.exists == 'true'
        run: |
          CHANGED_CHARTS=()
          echo ">> Target branch for diff is: ${BASE_BRANCH}"
          if [ "${{ github.event_name }}" == "pull_request" ]; then
            DIFF_TARGET="${BASE_BRANCH}"
            echo ""
            echo ">> Checking for changes in a pull request ..."
-            GIT_DIFF=$(git diff --name-only "${BASE_BRANCH}" | xargs -I {} dirname {} | sort -u)
+
          else
            DIFF_TARGET="${{ github.event.before }}..HEAD"
            echo ""
            echo ">> Checking for changes from a push ..."
            GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u)
          fi
          if [ -n "${GIT_DIFF}" ]; then
            echo ""
            echo ">> Changes detected:"
            echo "$GIT_DIFF"
            for path in $GIT_DIFF; do
              if echo "$path" | grep -q -E "clusters/[^/]+/helm/[^/]+"; then
                echo ""
                echo ">> Adding path: $path"
                CHANGED_CHARTS+=$(echo "$path" | awk -F '/' '{print $4}')
                CHANGED_CHARTS+=$(echo "\n")
              fi
            done
          else
            echo ""
            echo ">> No changes detected"
          fi
          CHANGED_CHARTS=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
          if [ -n "${CHANGED_CHARTS}" ]; then
            echo ""
            echo ">> Chart to Lint:"
-            echo "$(echo "${CHANGED_CHARTS}" | sort -u)"
+            echo ""
            echo "${CHANGED_CHARTS}"
            CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -)
            echo ""
            echo "----"
-            echo "changes-detected=true" >> $GITEA_OUTPUT
+            echo "changes-detected=true" >> $GITHUB_OUTPUT
-            echo "chart-dir<<EOF" >> $GITEA_OUTPUT
+            echo "chart-dir-csv=${CHANGED_CHARTS_CSV}" >> $GITHUB_OUTPUT
-            echo "$(echo "${CHANGED_CHARTS}" | sort -u)" >> $GITEA_OUTPUT
+            echo "chart-dir<<EOF" >> $GITHUB_OUTPUT
-            echo "EOF" >> $GITEA_OUTPUT
+            echo "${CHANGED_CHARTS}" >> $GITHUB_OUTPUT
            echo "EOF" >> $GITHUB_OUTPUT
          else
            echo ""
            echo ">> Did not find any helm charts files to lint"
            echo ""
            echo "----"
-            echo "changes-detected=false" >> $GITEA_OUTPUT
+            echo "changes-detected=false" >> $GITHUB_OUTPUT
          fi
      - name: Add Repositories
@@ -121,68 +130,238 @@ jobs:
          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
        run: |
          echo ">> Adding repositories for chart dependencies ..."
-          for dir in ${CHANGED_CHARTS}; do
+          echo ""
-            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/$dir 2> /dev/null \
+
-              | tail +2 | head -n -1 \
+          for DIR in ${CHANGED_CHARTS}; do
-              | awk '{ print "helm repo add " $1 " " $3 }' \
+            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
-              | while read cmd; do
+              | tail -n +2 \
-                if [[ "$cmd" == "*oci://*" ]]; then
+              | awk 'NF > 0 { print $1, $3 }' \
-                  echo ">> Ignoring OCI repo"
+              | while read -r REPO_NAME REPO_URL; do
-                else
+                if [[ "${REPO_URL}" == oci://* ]]; then
-                  echo ">> Command: $cmd"
+                  echo ">> Ignoring OCI repo: ${REPO_URL}"
-                  echo "$cmd" | sh;
+
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
-          if helm repo list | tail +2 | read -r; then
+          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo ""
          echo "----"
      - name: Lint Helm Chart
        id: lint
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          CHANGED_CHARTS: ${{ steps.check-dir-changes.outputs.chart-dir }}
        run: |
          EXIT_CODE=0
          FAILED_CHARTS=""
          echo ">> Running linting on changed charts ..."
-          for dir in ${CHANGED_CHARTS}; do
+          for DIR in ${CHANGED_CHARTS}; do
-            chart_path=clusters/${CLUSTER}/helm/$dir
+            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
-            chart_name=$(basename "$chart_path")
+            CHART_NAME=$(basename "${CHART_PATH}")
-            if [ -f "$chart_path/Chart.yaml" ]; then
+            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
-              cd $chart_path
+              echo ""
              echo ">> Building helm dependency for ${CHART_NAME} ..."
              helm dependency build "${CHART_PATH}" --skip-refresh
              echo ""
-              echo ">> Building helm dependency ..."
+              echo ">> Linting helm chart ${CHART_NAME} ..."
              helm dependency build --skip-refresh
-              echo ""
+              if ! helm lint "${CHART_PATH}" --namespace "default"; then
-              echo ">> Linting helm ..."
+                EXIT_CODE=1
-              helm lint --namespace "$chart_name"
+
                if [ -z "${FAILED_CHARTS}" ]; then
                  FAILED_CHARTS="${DIR}"
                else
                  FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
                fi
              fi
            else
              echo ""
-              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
+              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
-              echo ""
+
            fi
          done
          echo ""
          echo "----"
          echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
          exit $EXIT_CODE
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: '${{ secrets.NTFY_URL }}'
          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Test Failure - Infrastructure'
+          title: 'Helm Test Failure'
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
-          details: 'Helm linting on Pull Request for Infrastructure has failed!'
+          details: "Helm linting for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.lint.outputs.failed-charts }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=lint-test-helm-pull.yaml", "clear": true}]'
+          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
  validate-kubeconform:
    needs: lint-helm
    runs-on: ubuntu-js
    if: |
      needs.lint-helm.result == 'success' &&
      needs.lint-helm.outputs.changes-detected == 'true' &&
      github.event_name == 'pull_request'
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Install Kubeconform
        run: |
          echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
          wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
          echo ""
          echo ">> Extracting Kubeconform ..."
          tar xf kubeconform-linux-amd64.tar.gz
          echo ""
          echo ">> Installing Kubeconform ..."
          sudo mv kubeconform /usr/local/bin/
          echo ""
          echo ">> Verifying installation ..."
          kubeconform -v
          echo ""
          echo "----"
      - name: Set Up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          # renovate: datasource=github-releases depName=helm/helm
          version: v4.1.3
          cache: true
      - name: Cache Helm Dependencies
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Add Repositories
        env:
          CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
        run: |
          echo ">> Adding repositories for chart dependencies ..."
          echo ""
          for DIR in ${CHANGED_CHARTS}; do
            helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo ""
          echo "----"
      - name: Validate Rendered Templates
        id: validate
        env:
          CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
        run: |
          SCHEMA_LOCATIONS="-schema-location default -schema-location https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
          EXIT_CODE=0
          FAILED_CHARTS=""
          for DIR in ${CHANGED_CHARTS}; do
            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
            echo ""
            echo ">> Validating: ${DIR}"
            helm dependency build "${CHART_PATH}" --skip-refresh
            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \
              kubeconform \
                ${SCHEMA_LOCATIONS} \
                -ignore-missing-schemas \
                -strict \
                -summary; then
              EXIT_CODE=1
              if [ -z "${FAILED_CHARTS}" ]; then
                FAILED_CHARTS="${DIR}"
              else
                FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
              fi
            fi
          done
          echo ""
          echo "----"
          echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
          exit $EXIT_CODE
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: '${{ secrets.NTFY_URL }}'
          topic: '${{ secrets.NTFY_TOPIC }}'
          title: 'Kubeconform Test Failure'
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Kubeconform for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.validate.outputs.failed-charts }}"
          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
          actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-automerge.yaml
+++ b/.gitea/workflows/render-manifests-automerge.yaml
@@ -1,440 +0,0 @@
 name: render-manifests-automerge
 on:
  pull_request:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
    types:
      - closed
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME_BASE: auto/update-manifests-automerge
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-automerge:
    runs-on: ubuntu-js
    if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'automerge')) }}
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Prepare Manifest Branch
        id: prepare-manifest-branch
        run: |
          cd ${MANIFEST_DIR}
          BRANCH_NAME="${BRANCH_NAME_BASE}-$(date +%Y%m%d%H%M%S)"
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ">> Creating branch ..."
          git checkout -b $BRANCH_NAME
          echo "----"
          echo "BRANCH_NAME=${BRANCH_NAME}" >> $GITEA_OUTPUT
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd ${MAIN_DIR}
          RENDER_DIR=()
          echo ">> Checking for changes from HEAD^..HEAD ..."
          GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
          if [ -n "${GIT_DIFF}" ]; then
            echo ">> Changes detected:"
            echo "$GIT_DIFF"
            for path in $GIT_DIFF; do
              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
              RENDER_DIR+=$(echo " ")
            done
          else
            echo ">> No changes detected"
          fi
          if [ -n "${RENDER_DIR}" ]; then
            echo ">> Directories to Render:"
            echo "$(echo "${RENDER_DIR}" | sort -u)"
            echo "----"
            echo "changes-detected=true" >> $GITEA_OUTPUT
            echo "render-dir<<EOF" >> $GITEA_OUTPUT
            echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
            echo "EOF" >> $GITEA_OUTPUT
          else
            echo "changes-detected=false" >> $GITEA_OUTPUT
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Adding repositories for chart dependencies ..."
          for dir in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
              | while read cmd; do
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Remove manfiest files and rebuild from source ..."
          for dir in ${RENDER_DIR}; do
            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
            echo "$chart_path"
            rm -rf $chart_path/*
          done
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Rendering Manifests ..."
          for dir in ${RENDER_DIR}; do
            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
            chart_name=$(basename "$chart_path")
            echo ""
            echo ""
            echo ">> Rendering chart: $chart_name"
            echo ">> Chart path $chart_path"
            if [ -f "$chart_path/Chart.yaml" ]; then
              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
              TEMPLATE=""
              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
              cd $chart_path
              echo ""
              echo ">> Updating helm dependency ..."
              helm dependency update --skip-refresh
              echo ""
              echo ">> Building helm dependency ..."
              helm dependency build --skip-refresh
              echo ""
              echo ">> Linting helm ..."
              helm lint --namespace "$chart_name"
              echo ""
              echo ">> Rendering templates ..."
              case "$chart_name" in
                "stack")
                  echo ""
                  echo ">> Special Rendering for stack into argocd namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
                  echo ""
                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for $chart_name ..."
                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
              esac
              echo ""
              echo ">> Formating rendered template ..."
              echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          done
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd ${MANIFEST_DIR}
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "$GIT_CHANGES" ]; then
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after automerge"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ">> Pushing changes to $REPO_URL ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
          echo "----"
          echo "push=true" >> $GITEA_OUTPUT
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${BRANCH_NAME}" \
            --arg base "${BASE_BRANCH}" \
            --arg title "Automated Manifest Update - Automerge" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. This is expected to be automerged." \
            '{head: $head, base: $base, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${BRANCH_NAME} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo ">> Pull Request URL: $PR_URL"
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_NUMBER=$(cat response_body.json | jq -r .number)
            echo ">> Pull Request Number: $PR_NUMBER"
            echo "pull-request-number=${PR_NUMBER}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: Merge Changes
        id: merge-changes
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
          PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
          PAYLOAD=$( jq -n \
            --arg Do "merge" \
            '{Do: $Do}' )
          echo ">> Merging PR with ID: ${PR_NUMBER}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ]; then
            echo ">> Pull Request merged successfully!"
            echo "pull-request-operation=merged" >> $GITEA_OUTPUT
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            echo "pull-request-operation=failed" >> $GITEA_OUTPUT
            exit 1
          fi
          echo "----"
      - name: Cleanup Branch
        if: failure()
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.BRANCH_NAME }}
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Removing branch: ${BRANCH_NAME}"
          git push origin --delete ${BRANCH_NAME}
          echo "----"
      - name: ntfy Merged
        uses: niniyas/ntfy-action@master
        if: steps.merge-changes.outputs.pull-request-operation == 'merged'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Merged - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Automerge Manifest rendering for Infrastructure!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Automerge Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests-automerge.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-dispatch.yaml
+++ b/.gitea/workflows/render-manifests-dispatch.yaml
@@ -1,390 +0,0 @@
 name: render-manifests-dispatch
 on:
  schedule:
    - cron: '0 3 * * *'
  workflow_dispatch:
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-dispatch:
    runs-on: ubuntu-js
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Prepare Manifest Branch
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ">> Checking if PR branch exists ..."
          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
            git fetch origin "${BRANCH_NAME}"
            git checkout "${BRANCH_NAME}"
            git pull --rebase
          else
            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
            git checkout -b $BRANCH_NAME
          fi
          echo "----"
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd ${MAIN_DIR}
          RENDER_DIR=()
          echo ">> Triggered on dispatch, will check all paths ..."
          RENDER_DIR+=$(ls clusters/cl01tl/helm/)
          if [ -n "${RENDER_DIR}" ]; then
            echo ">> Directories to Render:"
            echo "$(echo "${RENDER_DIR}" | sort -u)"
            echo "----"
            echo "changes-detected=true" >> $GITEA_OUTPUT
            echo "render-dir<<EOF" >> $GITEA_OUTPUT
            echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
            echo "EOF" >> $GITEA_OUTPUT
          else
            echo "changes-detected=false" >> $GITEA_OUTPUT
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Adding repositories for chart dependencies ..."
          for dir in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
              | while read cmd; do
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Rendering Manifests ..."
          for dir in ${RENDER_DIR}; do
            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
            chart_name=$(basename "$chart_path")
            echo ""
            echo ""
            echo ">> Rendering chart: $chart_name"
            echo ">> Chart path $chart_path"
            if [ -f "$chart_path/Chart.yaml" ]; then
              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
              TEMPLATE=""
              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
              cd $chart_path
              echo ""
              echo ">> Updating helm dependency ..."
              helm dependency update --skip-refresh
              echo ""
              echo ">> Building helm dependency ..."
              helm dependency build --skip-refresh
              echo ""
              echo ">> Linting helm ..."
              helm lint --namespace "$chart_name"
              echo ""
              echo ">> Rendering templates ..."
              case "$chart_name" in
                "stack")
                  echo ""
                  echo ">> Special Rendering for stack into argocd namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
                  echo ""
                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for $chart_name ..."
                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
              esac
              echo ""
              echo ">> Formating rendered template ..."
              echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          done
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd ${MANIFEST_DIR}
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "$GIT_CHANGES" ]; then
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after change"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ">> Pushing changes to $REPO_URL ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
          echo "----"
          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
          echo "push=true" >> $GITEA_OUTPUT
      - name: Check for Pull Request
        id: check-for-pull-requst
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(
            curl -X GET \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ">> Pull Request has been found open, will update"
            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
            echo "pull-request-index=true" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
            echo ">> Pull Request found, but was closed"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          else
            echo ">> Pull Request not found"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          fi
          echo "----"
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${HEAD_BRANCH}" \
            --arg base "${BASE_BRANCH}" \
            --arg assignee "${ASSIGNEE}" \
            --arg title "Automated Manifest Update" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_ID=$(cat response_body.json | jq -r .id)
            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Created - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-merge.yaml
+++ b/.gitea/workflows/render-manifests-merge.yaml
@@ -1,425 +0,0 @@
 name: render-manifests-merge
 on:
  pull_request:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
    types:
      - closed
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-merge:
    runs-on: ubuntu-js
    if: ${{ (github.event.pull_request.merged == true) && !(contains(github.event.pull_request.labels.*.name, 'automerge')) }}
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Prepare Manifest Branch
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ">> Checking if PR branch exists ..."
          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
            git fetch origin "${BRANCH_NAME}"
            git checkout "${BRANCH_NAME}"
            git pull --rebase
          else
            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
            git checkout -b $BRANCH_NAME
          fi
          echo "----"
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd ${MAIN_DIR}
          RENDER_DIR=()
          echo ">> Checking for changes from HEAD^..HEAD ..."
          GIT_DIFF=$(git diff --name-only HEAD^..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
          if [ -n "${GIT_DIFF}" ]; then
            echo ">> Changes detected:"
            echo "$GIT_DIFF"
            for path in $GIT_DIFF; do
              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
              RENDER_DIR+=$(echo " ")
            done
          else
            echo ">> No changes detected"
          fi
          if [ -n "${RENDER_DIR}" ]; then
            echo ">> Directories to Render:"
            echo "$(echo "${RENDER_DIR}" | sort -u)"
            echo "----"
            echo "changes-detected=true" >> $GITEA_OUTPUT
            echo "render-dir<<EOF" >> $GITEA_OUTPUT
            echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
            echo "EOF" >> $GITEA_OUTPUT
          else
            echo "changes-detected=false" >> $GITEA_OUTPUT
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Adding repositories for chart dependencies ..."
          for dir in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
              | while read cmd; do
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Remove manfiest files and rebuild from source ..."
          for dir in ${RENDER_DIR}; do
            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
            echo "$chart_path"
            rm -rf $chart_path/*
          done
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Rendering Manifests ..."
          for dir in ${RENDER_DIR}; do
            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
            chart_name=$(basename "$chart_path")
            echo ""
            echo ""
            echo ">> Rendering chart: $chart_name"
            echo ">> Chart path $chart_path"
            if [ -f "$chart_path/Chart.yaml" ]; then
              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
              TEMPLATE=""
              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
              cd $chart_path
              echo ""
              echo ">> Updating helm dependency ..."
              helm dependency update --skip-refresh
              echo ""
              echo ">> Building helm dependency ..."
              helm dependency build --skip-refresh
              echo ""
              echo ">> Linting helm ..."
              helm lint --namespace "$chart_name"
              echo ""
              echo ">> Rendering templates ..."
              case "$chart_name" in
                "stack")
                  echo ""
                  echo ">> Special Rendering for stack into argocd namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
                  echo ""
                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for $chart_name ..."
                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
              esac
              echo ""
              echo ">> Formating rendered template ..."
              echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          done
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd ${MANIFEST_DIR}
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "$GIT_CHANGES" ]; then
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after change"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ">> Pushing changes to $REPO_URL ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
          echo "----"
          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
          echo "push=true" >> $GITEA_OUTPUT
      - name: Check for Pull Request
        id: check-for-pull-requst
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(
            curl -X GET \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ">> Pull Request has been found open, will update"
            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
            echo "pull-request-index=true" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
            echo ">> Pull Request found, but was closed"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          else
            echo ">> Pull Request not found"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          fi
          echo "----"
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${HEAD_BRANCH}" \
            --arg base "${BASE_BRANCH}" \
            --arg assignee "${ASSIGNEE}" \
            --arg title "Automated Manifest Update" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_ID=$(cat response_body.json | jq -r .id)
            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Created - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests-push.yaml
+++ b/.gitea/workflows/render-manifests-push.yaml
@@ -1,423 +0,0 @@
 name: render-manifests-push
 on:
  push:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests-push:
    runs-on: ubuntu-js
    if: gitea.event.commits[0].author.username != 'renovate-bot'
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Prepare Manifest Branch
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          echo ">> Checking if PR branch exists ..."
          if [[ $(git ls-remote --heads origin "${BRANCH_NAME}" | wc -l) -gt 0 ]]; then
            echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
            git fetch origin "${BRANCH_NAME}"
            git checkout "${BRANCH_NAME}"
            git pull --rebase
          else
            echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
            git checkout -b $BRANCH_NAME
          fi
          echo "----"
      - name: Check which Directories have Changes
        id: check-dir-changes
        run: |
          cd ${MAIN_DIR}
          RENDER_DIR=()
          echo ">> Checking for changes ..."
          GIT_DIFF=$(git diff --name-only ${{ gitea.event.before }}..HEAD | xargs -I {} dirname {} | sort -u | grep -E "clusters/[^/]+/helm/[^/]+")
          if [ -n "${GIT_DIFF}" ]; then
            echo ">> Changes detected:"
            echo "$GIT_DIFF"
            for path in $GIT_DIFF; do
              RENDER_DIR+=$(echo "$path" | awk -F '/' '{print $4}')
              RENDER_DIR+=$(echo " ")
            done
          else
            echo ">> No changes detected"
          fi
          if [ -n "${RENDER_DIR}" ]; then
            echo ">> Directories to Render:"
            echo "$(echo "${RENDER_DIR}" | sort -u)"
            echo "----"
            echo "changes-detected=true" >> $GITEA_OUTPUT
            echo "render-dir<<EOF" >> $GITEA_OUTPUT
            echo "$(echo "${RENDER_DIR}" | sort -u)" >> $GITEA_OUTPUT
            echo "EOF" >> $GITEA_OUTPUT
          else
            echo "changes-detected=false" >> $GITEA_OUTPUT
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Adding repositories for chart dependencies ..."
          for dir in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 ${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir 2> /dev/null \
              | tail +2 | head -n -1 \
              | awk '{ print "helm repo add " $1 " " $3 }' \
              | while read cmd; do
                if [[ "$cmd" == "*oci://*" ]]; then
                  echo ">> Ignoring OCI repo"
                else
                  echo "$cmd" | sh;
                fi
              done || true
          done
          if helm repo list | tail +2 | read -r; then
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Remove manfiest files and rebuild from source ..."
          for dir in ${RENDER_DIR}; do
            chart_path=${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$dir
            echo "$chart_path"
            rm -rf $chart_path/*
          done
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd ${MAIN_DIR}
          echo ">> Rendering Manifests ..."
          for dir in ${RENDER_DIR}; do
            chart_path=${MAIN_DIR}/clusters/${CLUSTER}/helm/$dir
            chart_name=$(basename "$chart_path")
            echo ""
            echo ""
            echo ">> Rendering chart: $chart_name"
            echo ">> Chart path $chart_path"
            if [ -f "$chart_path/Chart.yaml" ]; then
              OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name/"
              TEMPLATE=""
              mkdir -p ${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/$chart_name
              cd $chart_path
              echo ""
              echo ">> Updating helm dependency ..."
              helm dependency update --skip-refresh
              echo ""
              echo ">> Building helm dependency ..."
              helm dependency build --skip-refresh
              echo ""
              echo ">> Linting helm ..."
              helm lint --namespace "$chart_name"
              echo ""
              echo ">> Rendering templates ..."
              case "$chart_name" in
                "stack")
                  echo ""
                  echo ">> Special Rendering for stack into argocd namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace argocd --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                "cilium" | "coredns" | "metrics-server" |"prometheus-operator-crds")
                  echo ""
                  echo ">> Special Rendering for $chart_name into kube-system namespace ..."
                  TEMPLATE=$(helm template $chart_name ./ --namespace kube-system --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
                *)
                  echo ""
                  echo ">> Standard Rendering for $chart_name ..."
                  TEMPLATE=$(helm template "$chart_name" ./ --namespace "$chart_name" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
                  ;;
              esac
              echo ""
              echo ">> Formating rendered template ..."
              echo "$TEMPLATE" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"$OUTPUT_FOLDER"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ""
              echo ">> Manifests for $chart_name rendered to $OUTPUT_FOLDER"
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory $chart_path does not contain a Chart.yaml. Skipping ..."
              echo ""
            fi
          done
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd ${MANIFEST_DIR}
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "$GIT_CHANGES" ]; then
            echo ">> Changes detected"
            git status --porcelain
            echo "changes-detected=true" >> $GITEA_OUTPUT
          else
            echo ">> No changes detected, skipping PR creation"
          fi
          echo "----"
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        run: |
          cd ${MANIFEST_DIR}
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "chore: Update manifests after change"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ">> Pushing changes to $REPO_URL ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@$(echo $REPO_URL | sed -e 's|https://||')" ${BRANCH_NAME}
          echo "----"
          echo "HEAD_BRANCH=${BRANCH_NAME}" >> $GITEA_OUTPUT
          echo "push=true" >> $GITEA_OUTPUT
      - name: Check for Pull Request
        id: check-for-pull-requst
        if: steps.commit-push.outputs.push == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(
            curl -X GET \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ">> Pull Request has been found open, will update"
            PR_INDEX=$(cat response_body.json | jq -r .[0].number)
            echo "pull-request-exists=${PR_INDEX}" >> $GITEA_OUTPUT
            echo "pull-request-index=true" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "closed" ]; then
            echo ">> Pull Request found, but was closed"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          else
            echo ">> Pull Request not found"
            echo "pull-request-exists=false" >> $GITEA_OUTPUT
          fi
          echo "----"
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-requst.outputs.pull-request-exists == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.HEAD_BRANCH }}
        run: |
          cd ${MANIFEST_DIR}
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          PAYLOAD=$( jq -n \
            --arg head "${HEAD_BRANCH}" \
            --arg base "${BASE_BRANCH}" \
            --arg assignee "${ASSIGNEE}" \
            --arg title "Automated Manifest Update" \
            --arg body "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow." \
            '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}' )
          echo ">> Creating PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          echo ">> With Payload of:"
          echo "$PAYLOAD"
          HTTP_STATUS=$(
            curl -X POST \
              --silent \
              --write-out '%{http_code}' \
              --output response_body.json \
              --dump-header response_headers.txt \
              --data "$PAYLOAD" \
              -H "Authorization: token ${GITEA_TOKEN}" \
              -H "Content-Type: application/json" \
              "$API_ENDPOINT" 2> response_errors.txt
          )
          echo ">> HTTP Status Code: $HTTP_STATUS"
          echo ">> Response Output ..."
          echo "----"
          cat response_body.json
          echo "----"
          cat response_headers.txt
          echo "----"
          cat response_errors.txt
          echo "----"
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            PR_URL=$(cat response_body.json | jq -r .html_url)
            echo "pull-request-url=${PR_URL}" >> $GITEA_OUTPUT
            PR_ID=$(cat response_body.json | jq -r .id)
            echo "pull-request-id=${PR_ID}" >> $GITEA_OUTPUT
            echo "pull-request-operation=created" >> $GITEA_OUTPUT
          elif [ "$HTTP_STATUS" == "422" ]; then
            echo ">> Failed to create PR (HTTP 422: Unprocessable Entity), PR may already exist"
          elif [ "$HTTP_STATUS" == "409" ]; then
            echo ">> Failed to create PR (HTTP 409: Conflict), PR already exists"
          else
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            exit 1
          fi
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render PR Created - Infrastructure"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Manifest rendering for Infrastructure has created a new Pull Request with ID: ${{ steps.create-pull-request.outputs.pull-request-id }}!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "${{ steps.create-pull-request.outputs.pull-request-url }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure - Infrastructure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/infrastructure/actions?workflow=render-manifests.yaml", "clear": true}]'
          image: true
--- a/.gitea/workflows/render-manifests.yaml
+++ b/.gitea/workflows/render-manifests.yaml
@@ -0,0 +1,624 @@
 name: render-manifests
 on:
  schedule:
    - cron: '0 15 * * *'
  workflow_dispatch:
  pull_request:
    branches:
      - main
    paths:
      - 'clusters/cl01tl/helm/**'
    types:
      - closed
 env:
  CLUSTER: cl01tl
  BASE_BRANCH: manifests
  BRANCH_NAME_BASE: auto/update-manifests
  ASSIGNEE: alexlebens
  MAIN_DIR: /workspace/alexlebens/infrastructure/infrastructure
  MANIFEST_DIR: /workspace/alexlebens/infrastructure/infrastructure-manifests
 jobs:
  render-manifests:
    runs-on: ubuntu-js
    if: >-
      github.event_name == 'schedule' ||
      github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
    steps:
      - name: Checkout Main
        uses: actions/checkout@v6
        with:
          path: infrastructure
          fetch-depth: 0
      - name: Checkout Manifests
        uses: actions/checkout@v6
        with:
          ref: manifests
          path: infrastructure-manifests
      - name: Set Up Helm
        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.17.2 # Pending https://github.com/helm/helm/pull/30743
          cache: true
      - name: Configure Kubeconfig
        uses: azure/k8s-set-context@v4
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Cache Helm Dependencies
        uses: actions/cache@v5
        with:
          path: |
            ~/.cache/helm
            ~/.config/helm
          key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
          restore-keys: |
            helm-cache-${{ runner.os }}-
      - name: Determine Workflow Mode
        id: mode
        run: |
          IS_AUTOMERGE="false"
          RENDER_ALL="false"
          DIFF_TARGET=""
          if [[ "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            echo ">> Mode: Dispatch/Schedule (Render All)"
            RENDER_ALL="true"
          elif [[ "${{ github.event_name }}" == "pull_request" ]]; then
            if [[ "${{ contains(github.event.pull_request.labels.*.name, 'automerge') }}" == "true" ]]; then
              echo ">> Mode: PR Merged (Automerge)"
              IS_AUTOMERGE="true"
            else
              echo ">> Mode: PR Merged (Standard)"
            fi
            DIFF_TARGET="HEAD^..HEAD"
          fi
          echo ""
          echo "----"
          echo "is-automerge=${IS_AUTOMERGE}" >> "$GITHUB_OUTPUT"
          echo "render-all=${RENDER_ALL}" >> "$GITHUB_OUTPUT"
          echo "diff-target=${DIFF_TARGET}" >> "$GITHUB_OUTPUT"
      - name: Prepare Manifest Branch
        id: prepare-manifest-branch
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ">> Configure git to use gitea-bot as user ..."
          git config user.name "gitea-bot"
          git config user.email "gitea-bot@alexlebens.net"
          if [[ "$IS_AUTOMERGE" == "true" ]]; then
            BRANCH_NAME="${BRANCH_NAME_BASE}-automerge-${PR_NUMBER}"
            echo ""
            echo ">> Creating branch ${BRANCH_NAME} ..."
            git checkout -B "$BRANCH_NAME"
          else
            echo ""
            echo ">> Checking if PR branch exists ..."
            BRANCH_NAME="${BRANCH_NAME_BASE}"
            if git ls-remote --exit-code --heads origin "${BRANCH_NAME}" > /dev/null 2>&1; then
              echo ""
              echo ">> Branch '${BRANCH_NAME}' exists, pulling changes ..."
              git fetch origin "${BRANCH_NAME}"
              git checkout "${BRANCH_NAME}"
              git pull --rebase
            else
              echo ""
              echo ">> Branch '${BRANCH_NAME}' does not exist, creating ..."
              git checkout -b "${BRANCH_NAME}"
            fi
          fi
          echo ""
          echo "----"
          echo "branch-name=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
      - name: Check Which Directories Have Changes
        id: check-dir-changes
        env:
          RENDER_ALL: ${{ steps.mode.outputs.render-all }}
          DIFF_TARGET: ${{ steps.mode.outputs.diff-target }}
        run: |
          cd "${MAIN_DIR}"
          if [[ "$RENDER_ALL" == "true" ]]; then
            echo ">> Triggered on dispatch, will check all paths ..."
            RENDER_DIR=$(find "clusters/${CLUSTER}/helm" -mindepth 1 -maxdepth 1 -type d -exec basename {} \; | sort -u)
          else
            echo ">> Checking for changes from ${DIFF_TARGET} ..."
            RENDER_DIR=$(git diff --name-only "${DIFF_TARGET}" | grep -E "^clusters/${CLUSTER}/helm/" | awk -F '/' '{print $4}' | sort -u || true)
          fi
          if [ -n "${RENDER_DIR}" ]; then
            echo ""
            echo ">> Directories to Render:"
            echo ""
            echo "${RENDER_DIR}"
            echo ""
            echo "----"
            echo "changes-detected=true" >> "$GITHUB_OUTPUT"
            echo "render-dir<<EOF" >> "$GITHUB_OUTPUT"
            echo "${RENDER_DIR}" >> "$GITHUB_OUTPUT"
            echo "EOF" >> "$GITHUB_OUTPUT"
          else
            echo ""
            echo ">> No chart changes detected"
            echo ""
            echo "----"
            echo "changes-detected=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Add Repositories
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ">> Adding repositories for chart dependencies ..."
          echo ""
          for DIR in ${RENDER_DIR}; do
            helm dependency list --max-col-width 120 "${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}" 2> /dev/null \
              | tail -n +2 \
              | awk 'NF > 0 { print $1, $3 }' \
              | while read -r REPO_NAME REPO_URL; do
                if [[ "${REPO_URL}" == oci://* ]]; then
                  echo ">> Ignoring OCI repo: ${REPO_URL}"
                elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
                  helm repo add "${REPO_NAME}" "${REPO_URL}"
                fi
              done || true
          done
          if helm repo list > /dev/null 2>&1; then
            echo ""
            echo ">> Update repository cache ..."
            helm repo update
          fi
          echo ""
          echo "----"
      - name: Remove Changed Manifest Files
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ">> Remove manifest files and rebuild from source ..."
          echo ""
          for DIR in ${RENDER_DIR}; do
            CHART_PATH="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${DIR}"
            echo "${CHART_PATH}"
            rm -rf "${CHART_PATH}"/*
          done
          echo ""
          echo "----"
      - name: Render Helm Manifests
        id: render-manifests
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        env:
          RENDER_DIR: ${{ steps.check-dir-changes.outputs.render-dir }}
        run: |
          cd "${MAIN_DIR}"
          echo ">> Rendering Manifests ..."
          render_chart() {
            local DIR="$1"
            local CHART_PATH="${MAIN_DIR}/clusters/${CLUSTER}/helm/${DIR}"
            local CHART_NAME=$(basename "${CHART_PATH}")
            echo ""
            echo ">> Rendering chart: ${CHART_NAME}"
            if [ -f "${CHART_PATH}/Chart.yaml" ]; then
              local OUTPUT_FOLDER="${MANIFEST_DIR}/clusters/${CLUSTER}/manifests/${CHART_NAME}/"
              mkdir -p "${OUTPUT_FOLDER}"
              cd "${CHART_PATH}"
              helm dependency update --skip-refresh > /dev/null
              helm lint --namespace "${CHART_NAME}" --quiet
              local NAMESPACE="${CHART_NAME}"
              case "${CHART_NAME}" in
                "stack")
                  NAMESPACE="argocd"
                  echo ">> Special Rendering into 'argocd' namespace ..."
                  ;;
                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                  NAMESPACE="kube-system"
                  echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                  ;;
                *)
                  echo ">> Standard Rendering ..."
              esac
              echo ">> Formating rendered template ..."
              local TEMPLATE
              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
              # Format and split rendered template
              echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
              # Strip comments again to ensure formatting correctness
              for file in "$OUTPUT_FOLDER"/*; do
                yq -i '... comments=""' $file
              done
              echo ">> Manifests for ${CHART_NAME} rendered successfully to $OUTPUT_FOLDER:"
              echo ""
              ls $OUTPUT_FOLDER
              echo ""
            else
              echo ""
              echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
            fi
          }
          export -f render_chart
          export MAIN_DIR CLUSTER MANIFEST_DIR
          # Run rendering in parallel
          for DIR in ${RENDER_DIR}; do
            echo "${DIR}"
          done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
          echo ""
          echo "----"
      - name: Check for Changes
        id: check-changes
        if: steps.check-dir-changes.outputs.changes-detected == 'true'
        run: |
          cd "${MANIFEST_DIR}"
          GIT_CHANGES=$(git status --porcelain)
          if [ -n "${GIT_CHANGES}" ]; then
            echo ">> Changes detected"
            git status --porcelain
            CHANGED_CHARTS=$(echo "$GIT_CHANGES" | grep -oE "clusters/${CLUSTER}/manifests/[^/]+" | awk -F '/' '{print $4}' | sort -u | paste -sd ',' -)
            echo ""
            echo "----"
            echo "changes-detected=true" >> "$GITHUB_OUTPUT"
            echo "changed-charts-csv=${CHANGED_CHARTS}" >> "$GITHUB_OUTPUT"
          else
            echo ">> No changes detected, skipping PR creation"
            echo ""
            echo "----"
          fi
      - name: Commit and Push Changes
        id: commit-push
        if: steps.check-changes.outputs.changes-detected == 'true'
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
        run: |
          cd "${MANIFEST_DIR}"
          MSG="chore: Update manifests after change"
          if [[ "$IS_AUTOMERGE" == "true" ]]; then
            MSG="chore: Update manifests after automerge"
          fi
          echo ">> Commiting changes to ${BRANCH_NAME} ..."
          git add .
          git commit -m "${MSG}"
          REPO_URL="${{ secrets.REPO_URL }}/${{ gitea.repository }}"
          echo ""
          echo ">> Pushing changes to ${REPO_URL} ..."
          git push -u "https://oauth2:${{ secrets.BOT_TOKEN }}@${REPO_URL#*://}" "${BRANCH_NAME}"
          echo ""
          echo "----"
          echo "push=true" >> "$GITHUB_OUTPUT"
          echo "head-branch=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
      - name: Check for Pull Request
        id: check-for-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls?base_branch=${BASE_BRANCH}&state=open&page=1"
          echo ">> Checking if PR from branch ${HEAD_BRANCH} into ${BASE_BRANCH}"
          echo ">> With Endpoint of:"
          echo "$API_ENDPOINT"
          HTTP_STATUS=$(curl -X GET -s -w '%{http_code}' -o response_body.json -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "200" ] && [ "$(cat response_body.json | jq -r .[0].state)" == "open" ]; then
            echo ""
            echo ">> Pull Request has been found open, will update"
            echo ""
            echo "----"
            echo "pull-request-exists=$(cat response_body.json | jq -r .[0].number)" >> "$GITHUB_OUTPUT"
          else
            echo ""
            echo ">> Pull Request not found"
            echo ""
            echo "----"
            echo "pull-request-exists=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Create Pull Request
        id: create-pull-request
        if: steps.commit-push.outputs.push == 'true' && (steps.mode.outputs.is-automerge == 'true' || steps.check-for-pull-request.outputs.pull-request-exists == 'false')
        env:
          IS_AUTOMERGE: ${{ steps.mode.outputs.is-automerge }}
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          HEAD_BRANCH: ${{ steps.commit-push.outputs.head-branch }}
          CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
          EVENT_NAME: ${{ github.event_name }}
          ACTOR: ${{ github.actor }}
          SHA: ${{ github.sha }}
          REF: ${{ github.ref_name }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls"
          BODY=$(printf "This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.\n\n### Details\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
          if [[ "$IS_AUTOMERGE" == "true" ]]; then
            TITLE="Automated Manifest Update - Automerge"
            BODY=$(printf "%s\n\n_This PR is expected to be automerged._" "${BODY}")
          else
            TITLE="Automated Manifest Update"
          fi
          PAYLOAD=$(jq -n --arg head "${HEAD_BRANCH}" --arg base "${BASE_BRANCH}" --arg assignee "${ASSIGNEE}" --arg title "${TITLE}" --arg body "${BODY}" '{head: $head, base: $base, assignee: $assignee, title: $title, body: $body}')
          HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "201" ]; then
            echo ">> Pull Request created successfully!"
            echo ""
            echo "----"
            echo "pull-request-id=$(jq -r .id response_body.json)" >> "$GITHUB_OUTPUT"
            echo "pull-request-number=$(jq -r .number response_body.json)" >> "$GITHUB_OUTPUT"
            echo "pull-request-operation=created" >> "$GITHUB_OUTPUT"
          elif [[ "$HTTP_STATUS" == "422" || "$HTTP_STATUS" == "409" ]]; then
            echo ""
            echo ">> Failed to create PR (Already exists)"
            echo ""
            echo "----"
          else
            echo ""
            echo ">> Failed to create PR, HTTP status code: $HTTP_STATUS"
            echo ""
            echo "----"
            exit 1
          fi
      - name: Update Pull Request
        id: update-pull-request
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          PR_NUMBER: ${{ steps.check-for-pull-request.outputs.pull-request-exists }}
          CHARTS: ${{ steps.check-changes.outputs.changed-charts-csv }}
          EVENT_NAME: ${{ github.event_name }}
          ACTOR: ${{ github.actor }}
          SHA: ${{ github.sha }}
          REF: ${{ github.ref_name }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}"
          EXISTING_BODY=$(jq -r '.[0].body' response_body.json)
          NEW_DETAILS=$(printf "### Update Details (%s)\n- **Trigger**: \`%s\` by \`@%s\`\n- **Commit**: \`%s\` (on \`%s\`)\n- **Charts Updated**: \`%s\`" "$(date -u +'%Y-%m-%d %H:%M UTC')" "${EVENT_NAME}" "${ACTOR}" "${SHA:0:7}" "${REF}" "${CHARTS}")
          UPDATED_BODY=$(printf "%s\n\n%s" "${EXISTING_BODY}" "${NEW_DETAILS}")
          PAYLOAD=$(jq -n --arg body "${UPDATED_BODY}" '{body: $body}')
          HTTP_STATUS=$(curl -X PATCH -s -w '%{http_code}' -o update_response.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "201" ] || [ "$HTTP_STATUS" == "200" ]; then
            echo ">> Pull Request updated successfully!"
            echo ""
            echo "----"
            echo "pull-request-operation=updated" >> "$GITHUB_OUTPUT"
          else
            echo ">> Failed to update PR, HTTP status code: $HTTP_STATUS"; exit 1
            echo ""
            echo "----"
          fi
      - name: Merge Changes
        id: merge-changes
        if: steps.commit-push.outputs.push == 'true' && steps.mode.outputs.is-automerge == 'true'
        env:
          GITEA_TOKEN: ${{ secrets.BOT_TOKEN }}
          GITEA_URL: ${{ secrets.REPO_URL }}
          PR_NUMBER: ${{ steps.create-pull-request.outputs.pull-request-number }}
        run: |
          cd "${MANIFEST_DIR}"
          API_ENDPOINT="${GITEA_URL}/api/v1/repos/${{ gitea.repository }}/pulls/${PR_NUMBER}/merge"
          PAYLOAD=$(jq -n --arg Do "merge" '{Do: $Do}')
          HTTP_STATUS=$(curl -X POST -s -w '%{http_code}' -o response_body.json --data "$PAYLOAD" -H "Authorization: token ${GITEA_TOKEN}" -H "Content-Type: application/json" "$API_ENDPOINT")
          if [ "$HTTP_STATUS" == "200" ]; then
            echo ">> Pull Request merged successfully!"
            echo ""
            echo "----"
            echo "pull-request-operation=merged" >> "$GITHUB_OUTPUT"
          else
            echo ">> Failed to merge PR, HTTP status code: $HTTP_STATUS"; exit 1
            echo ""
            echo "----"
          fi
      - name: Cleanup Branch
        if: failure() && steps.mode.outputs.is-automerge == 'true'
        env:
          BRANCH_NAME: ${{ steps.prepare-manifest-branch.outputs.branch-name }}
        run: |
          cd "${MANIFEST_DIR}"
          echo ">> Removing branch: ${BRANCH_NAME}"
          git push origin --delete "${BRANCH_NAME}" || true
          echo ""
          echo "----"
      - name: ntfy Created
        uses: niniyas/ntfy-action@master
        if: steps.create-pull-request.outputs.pull-request-operation == 'created' && steps.mode.outputs.is-automerge == 'false'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render - Open PR"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Created renderd manifests for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Updated
        uses: niniyas/ntfy-action@master
        if: steps.commit-push.outputs.push == 'true' && steps.check-for-pull-request.outputs.pull-request-exists != 'false' && steps.mode.outputs.is-automerge == 'false'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render - PR Updated"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Updated rendered manifests PR for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Merged
        uses: niniyas/ntfy-action@master
        if: steps.merge-changes.outputs.pull-request-operation == 'merged'
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render - Automerged"
          priority: 3
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,successfully,completed
          details: "Automerged manifest rendering for cluster '${{ env.CLUSTER }}' with charts: ${{ steps.check-changes.outputs.changed-charts-csv }}"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View PR", "url": "${{ vars.USER_URL }}/${{ github.repository }}/pulls/${{ steps.create-pull-request.outputs.pull-request-number }}", "clear": true}]'
      - name: ntfy Failed
        uses: niniyas/ntfy-action@master
        if: failure()
        with:
          url: "${{ secrets.NTFY_URL }}"
          topic: "${{ secrets.NTFY_TOPIC }}"
          title: "Manifest Render Failure"
          priority: 4
          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
          tags: action,failed
          details: "Manifest rendering for Infrastructure has failed!"
          icon: "https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png"
          actions: '[{"action": "view", "label": "View Logs", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.3.0
+    rev: v6.0.0
    hooks:
      - id: end-of-file-fixer
      - id: trailing-whitespace
@@ -9,7 +9,9 @@ repos:
        exclude: '^.*\/templates\/.*$'
        args:
          - --multi
      - id: check-merge-conflict
      - id: check-json
  - repo: https://github.com/IamTheFij/docker-pre-commit
-    rev: v2.0.0
+    rev: v3.0.1
    hooks:
      - id: docker-compose-check
--- a/clusters/cl01tl/helm/actual/values.yaml
+++ b/clusters/cl01tl/helm/actual/values.yaml
@@ -81,7 +81,8 @@ volsync-target-data:
    enabled: true
    schedule: 0 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 0 9 * * *
  external:
    enabled: true
    schedule: 0 10 * * *
--- a/clusters/cl01tl/helm/argo-workflows/Chart.lock
+++ b/clusters/cl01tl/helm/argo-workflows/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: argo-workflows
  repository: https://argoproj.github.io/argo-helm
-  version: 0.47.4
+  version: 1.0.2
 - name: argo-events
  repository: https://argoproj.github.io/argo-helm
  version: 2.4.20
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
-digest: sha256:772ba83a6e0fa6a7e3633ff1fff0f8221b45a1f36ec890489cfa383330d99f81
+digest: sha256:8d1c2dd011a360d930ed5ff186462f163407077d36ae633898ec5d6ba30a4e8d
-generated: "2026-02-27T18:14:32.22595048Z"
+generated: "2026-03-15T20:04:18.080966008Z"
--- a/clusters/cl01tl/helm/argo-workflows/Chart.yaml
+++ b/clusters/cl01tl/helm/argo-workflows/Chart.yaml
@@ -18,15 +18,15 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: argo-workflows
-    version: 0.47.4
+    version: 1.0.2
    repository: https://argoproj.github.io/argo-helm
  - name: argo-events
    version: 2.4.20
    repository: https://argoproj.github.io/argo-helm
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-workflows
-appVersion: v4.0.1
+appVersion: v4.0.2
--- a/clusters/cl01tl/helm/argo-workflows/values.yaml
+++ b/clusters/cl01tl/helm/argo-workflows/values.yaml
@@ -1,4 +1,14 @@
 argo-workflows:
  crds:
    install: true
    keep: true
    # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
    # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
    full: true
    upgradeJob:
      image:
        repository: registry.k8s.io/kubectl
        tag: v1.35.2
  controller:
    metricsConfig:
      enabled: true
@@ -105,7 +115,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 0 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
--- a/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/Chart.yaml
@@ -29,4 +29,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.32.1
+appVersion: 2.33.0
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -1,14 +1,52 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: audiobookshelf-nfs-storage
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: audiobookshelf-nfs-storage
+  volumeName: audiobookshelf-books-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: audiobookshelf-audiobooks-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: audiobookshelf-podcasts-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
--- a/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: audiobookshelf-nfs-storage
+  name: audiobookshelf-books-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: audiobookshelf-nfs-storage
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
@@ -15,7 +15,57 @@ spec:
  accessModes:
    - ReadWriteMany
  nfs:
-    path: /volume2/Storage
+    path: /volume2/Storage/Books
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: audiobookshelf-audiobooks-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Audiobooks
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: audiobookshelf-podcasts-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Podcasts
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
--- a/clusters/cl01tl/helm/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/helm/audiobookshelf/values.yaml
@@ -9,7 +9,7 @@ audiobookshelf:
        main:
          image:
            repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.32.1
+            tag: 2.33.0
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -114,12 +114,26 @@ audiobookshelf:
          main:
            - path: /metadata
              readOnly: false
-    audiobooks:
+    books:
-      existingClaim: audiobookshelf-nfs-storage
+      existingClaim: audiobookshelf-books-nfs-storage
      advancedMounts:
        main:
          main:
-            - path: /mnt/store/
+            - path: /mnt/store/Books
              readOnly: false
    audiobooks:
      existingClaim: audiobookshelf-audiobooks-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store/Audiobooks
              readOnly: false
    podcasts:
      existingClaim: audiobookshelf-podcasts-nfs-storage
      advancedMounts:
        main:
          main:
            - path: /mnt/store/Podcasts
              readOnly: false
 volsync-target-config:
  pvcTarget: audiobookshelf-config
@@ -127,17 +141,19 @@ volsync-target-config:
    enabled: true
    schedule: 2 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 2 9 * * *
  external:
    enabled: true
    schedule: 2 10 * * *
 volsync-target-metadata:
  pvcTarget: audiobookshelf-metadata
  local:
    enabled: true
    schedule: 4 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 4 9 * * *
  external:
    enabled: true
    schedule: 4 10 * * *
--- a/clusters/cl01tl/helm/authentik/Chart.lock
+++ b/clusters/cl01tl/helm/authentik/Chart.lock
@@ -7,9 +7,9 @@ dependencies:
  version: 2.4.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:fad7059feb4ac80e06cd571a56215d56e4894eba69fb54aaa1e53ced9ec1b2b1
+digest: sha256:8c353c5dad4c3d04d518c1445497f0d1cb64261a4201ae17a2c0874454b807a7
-generated: "2026-03-09T23:06:05.608952158Z"
+generated: "2026-03-15T20:04:35.99407071Z"
--- a/clusters/cl01tl/helm/authentik/Chart.yaml
+++ b/clusters/cl01tl/helm/authentik/Chart.yaml
@@ -28,7 +28,7 @@ dependencies:
    version: 2.4.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
--- a/clusters/cl01tl/helm/authentik/values.yaml
+++ b/clusters/cl01tl/helm/authentik/values.yaml
@@ -68,7 +68,7 @@ postgres-18-cluster:
  recovery:
    method: objectStore
    objectStore:
-      index: 1
+      index: 2
  backup:
    objectStore:
      - name: garage-local
@@ -91,9 +91,9 @@ postgres-18-cluster:
      #   isWALArchiver: false
    scheduledBackups:
      - name: live-backup
-        suspend: true
+        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 5 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
--- a/clusters/cl01tl/helm/backrest/Chart.yaml
+++ b/clusters/cl01tl/helm/backrest/Chart.yaml
@@ -27,4 +27,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 # renovate: datasource=github-releases depName=garethgeorge/backrest
-appVersion: v1.12.0
+appVersion: v1.12.1
--- a/clusters/cl01tl/helm/backrest/values.yaml
+++ b/clusters/cl01tl/helm/backrest/values.yaml
@@ -8,7 +8,7 @@ backrest:
        main:
          image:
            repository: garethgeorge/backrest
-            tag: v1.12.0
+            tag: v1.12.1
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -111,17 +111,19 @@ volsync-target-data:
    enabled: true
    schedule: 6 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 6 9 * * *
  external:
    enabled: true
    schedule: 6 10 * * *
 volsync-target-config:
  pvcTarget: backrest-config
  local:
    enabled: true
    schedule: 8 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 8 9 * * *
  external:
    enabled: true
    schedule: 8 10 * * *
--- a/clusters/cl01tl/helm/bazarr/Chart.yaml
+++ b/clusters/cl01tl/helm/bazarr/Chart.yaml
@@ -6,7 +6,7 @@ keywords:
  - bazarr
  - servarr
  - subtitles
-home: https://wiki.alexlebens.dev/s/92784d53-1d43-42fd-b509-f42c73454226
+home: https://wiki.alexlebens.dev/s/
 sources:
  - https://github.com/morpheus65535/bazarr
  - https://github.com/linuxserver/docker-bazarr
--- a/clusters/cl01tl/helm/bazarr/values.yaml
+++ b/clusters/cl01tl/helm/bazarr/values.yaml
@@ -15,7 +15,7 @@ bazarr:
        main:
          image:
            repository: ghcr.io/linuxserver/bazarr
-            tag: 1.5.6@sha256:94eee5e3e14430b7b144d4556be73963a7daf6f1bddc25586627f426465482ce
+            tag: 1.5.6@sha256:05f9d5b24884f37120453dc1a008a47be244eebec32099ae1bd29032e75b67aa
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -87,7 +87,8 @@ volsync-target-config:
    enabled: true
    schedule: 10 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 10 9 * * *
  external:
    enabled: true
    schedule: 10 10 * * *
--- a/clusters/cl01tl/helm/blocky/values.yaml
+++ b/clusters/cl01tl/helm/blocky/values.yaml
@@ -135,6 +135,7 @@ blocky:
              komodo                          IN      CNAME   traefik-cl01tl
              lidarr                          IN      CNAME   traefik-cl01tl
              mail                            IN      CNAME   traefik-cl01tl
              movie-roulette                  IN      CNAME   traefik-cl01tl
              music-grabber                   IN      CNAME   traefik-cl01tl
              navidrome                       IN      CNAME   traefik-cl01tl
              ntfy                            IN      CNAME   traefik-cl01tl
--- a/clusters/cl01tl/helm/booklore/Chart.lock
+++ b/clusters/cl01tl/helm/booklore/Chart.lock
@@ -4,12 +4,12 @@ dependencies:
  version: 4.6.2
 - name: mariadb-cluster
  repository: https://helm.mariadb.com/mariadb-operator
-  version: 25.10.4
+  version: 26.3.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:d4c7bf75f72f7eab4ad968bf9f55daac9392c9b2df08f8a27c5dc4f8fffb5f57
+digest: sha256:e65fa008c652092da5431e9780eb2a87c944298a12e58e432efad61c9e826da5
-generated: "2026-03-06T01:06:05.696573273Z"
+generated: "2026-03-14T23:57:22.721295098Z"
--- a/clusters/cl01tl/helm/booklore/Chart.yaml
+++ b/clusters/cl01tl/helm/booklore/Chart.yaml
@@ -18,7 +18,7 @@ dependencies:
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: mariadb-cluster
-    version: 25.10.4
+    version: 26.3.0
    repository: https://helm.mariadb.com/mariadb-operator
  - name: volsync-target
    alias: volsync-target-config
@@ -30,4 +30,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/booklore.png
 # renovate: datasource=github-releases depName=booklore-app/BookLore
-appVersion: v2.1.0
+appVersion: v2.2.1
--- a/clusters/cl01tl/helm/booklore/templates/replication-destination.yaml
+++ b/clusters/cl01tl/helm/booklore/templates/replication-destination.yaml
@@ -1,15 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationDestination
 metadata:
  name: booklore-data-replication-destination
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-replication-destination
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  rsyncTLS:
    copyMethod: Direct
    accessModes: ["ReadWriteMany"]
    destinationPVC: booklore-books-nfs-storage
    keySecret: booklore-data-replication-secret
--- a/clusters/cl01tl/helm/booklore/templates/replication-source.yaml
+++ b/clusters/cl01tl/helm/booklore/templates/replication-source.yaml
@@ -1,17 +0,0 @@
 apiVersion: volsync.backube/v1alpha1
 kind: ReplicationSource
 metadata:
  name: booklore-data-replication-source
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: booklore-data-replication-source
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  sourcePVC: booklore-data
  trigger:
    schedule: "0 0 * * *"
  rsyncTLS:
    keySecret: booklore-data-replication-secret
    address: volsync-rsync-tls-dst-booklore-data-replication-destination
    copyMethod: Snapshot
--- a/clusters/cl01tl/helm/booklore/values.yaml
+++ b/clusters/cl01tl/helm/booklore/values.yaml
@@ -9,7 +9,7 @@ booklore:
        main:
          image:
            repository: ghcr.io/booklore-app/booklore
-            tag: v2.1.0
+            tag: v2.2.1
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -225,10 +225,11 @@ volsync-target-config:
    enabled: true
    schedule: 12 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 12 9 * * *
  external:
    enabled: true
    schedule: 12 10 * * *
 volsync-target-data:
  pvcTarget: booklore-data
  local:
@@ -238,11 +239,11 @@ volsync-target-data:
      cacheCapacity: 10Gi
  remote:
    enabled: true
-    schedule: 14 10 * * *
+    schedule: 14 9 * * *
    restic:
      cacheCapacity: 10Gi
  external:
    enabled: true
-    schedule: 14 9 * * *
+    schedule: 14 10 * * *
    restic:
      cacheCapacity: 10Gi
--- a/clusters/cl01tl/helm/code-server/values.yaml
+++ b/clusters/cl01tl/helm/code-server/values.yaml
@@ -9,7 +9,7 @@ code-server:
        main:
          image:
            repository: ghcr.io/linuxserver/code-server
-            tag: 4.110.0@sha256:8473aa16fba93fccc3ca772173d095bccd2e44d4d3104467fee923df10d57cd2
+            tag: 4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -79,7 +79,8 @@ volsync-target-config:
    enabled: true
    schedule: 16 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 16 9 * * *
  external:
    enabled: true
    schedule: 16 10 * * *
--- a/clusters/cl01tl/helm/coredns/Chart.yaml
+++ b/clusters/cl01tl/helm/coredns/Chart.yaml
@@ -7,7 +7,7 @@ keywords:
  - dns
  - network
  - kubernetes
-home: https://wiki.alexlebens.dev/s/43947ec6-a034-449f-8c76-982ac493b072
+home: https://wiki.alexlebens.dev/s/
 sources:
  - https://github.com/coredns/coredns
  - https://github.com/coredns/helm
--- a/clusters/cl01tl/helm/coredns/values.yaml
+++ b/clusters/cl01tl/helm/coredns/values.yaml
@@ -1,7 +1,7 @@
 coredns:
  image:
    repository: registry.k8s.io/coredns/coredns
-    tag: v1.14.1
+    tag: v1.14.2
  replicaCount: 3
  resources:
    requests:
--- a/clusters/cl01tl/helm/dawarich/Chart.lock
+++ b/clusters/cl01tl/helm/dawarich/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:f21fb0c49396d888de95d0b4c59ed535437422c1b24e622bf074ed0fbb22e03a
+digest: sha256:7584c2a1613454bbd83b66df46170fd0157df5186842844d483e2dd131398574
-generated: "2026-03-09T23:06:27.025881262Z"
+generated: "2026-03-15T20:04:49.68456485Z"
--- a/clusters/cl01tl/helm/dawarich/Chart.yaml
+++ b/clusters/cl01tl/helm/dawarich/Chart.yaml
@@ -18,7 +18,7 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
@@ -26,4 +26,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.3.2
+appVersion: 1.3.4
--- a/clusters/cl01tl/helm/dawarich/values.yaml
+++ b/clusters/cl01tl/helm/dawarich/values.yaml
@@ -9,7 +9,7 @@ dawarich:
        main:
          image:
            repository: freikin/dawarich
-            tag: 1.3.2
+            tag: 1.3.4
            pullPolicy: IfNotPresent
          command: ["web-entrypoint.sh"]
          args: ["bin/rails", "server", "-p", "3000", "-b", "::"]
@@ -106,7 +106,7 @@ dawarich:
        sidekiq:
          image:
            repository: freikin/dawarich
-            tag: 1.3.2
+            tag: 1.3.4
            pullPolicy: IfNotPresent
          command: ["sidekiq-entrypoint.sh"]
          args: ["sidekiq"]
@@ -330,7 +330,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 10 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
--- a/clusters/cl01tl/helm/directus/Chart.lock
+++ b/clusters/cl01tl/helm/directus/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:2c38827f09e57aeff21409bf223edf3f889069db6d05c39f0404ed0c974cabb3
+digest: sha256:dfcb5d35e03ecdc4206227d206d36509319f0dcdaed54363840d71337debb3f7
-generated: "2026-03-09T23:06:37.271648311Z"
+generated: "2026-03-15T20:05:03.156596646Z"
--- a/clusters/cl01tl/helm/directus/Chart.yaml
+++ b/clusters/cl01tl/helm/directus/Chart.yaml
@@ -23,7 +23,7 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
@@ -31,4 +31,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.16.0
+appVersion: 11.16.1
--- a/clusters/cl01tl/helm/directus/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/directus/templates/external-secret.yaml
@@ -94,6 +94,43 @@ spec:
        metadataPolicy: None
        property: metric-token
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: directus-bucket-garage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: directus-bucket-garage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/directus-assets
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/directus-assets
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/directus-assets
        metadataPolicy: None
        property: ACCESS_REGION
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/clusters/cl01tl/helm/directus/templates/object-bucket-claim.yaml
+++ b/clusters/cl01tl/helm/directus/templates/object-bucket-claim.yaml
@@ -1,11 +0,0 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
  name: ceph-bucket-directus
  labels:
    app.kubernetes.io/name: ceph-bucket-directus
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  generateBucketName: bucket-directus
  storageClassName: ceph-bucket
--- a/clusters/cl01tl/helm/directus/values.yaml
+++ b/clusters/cl01tl/helm/directus/values.yaml
@@ -9,7 +9,7 @@ directus:
        main:
          image:
            repository: directus/directus
-            tag: 11.16.0
+            tag: 11.16.1
            pullPolicy: IfNotPresent
          env:
            - name: PUBLIC_URL
@@ -90,22 +90,22 @@ directus:
            - name: STORAGE_S3_KEY
              valueFrom:
                secretKeyRef:
-                  name: ceph-bucket-directus
+                  name: directus-bucket-garage
-                  key: AWS_ACCESS_KEY_ID
+                  key: ACCESS_KEY_ID
            - name: STORAGE_S3_SECRET
              valueFrom:
                secretKeyRef:
-                  name: ceph-bucket-directus
+                  name: directus-bucket-garage
-                  key: AWS_SECRET_ACCESS_KEY
+                  key: ACCESS_SECRET_KEY
            - name: STORAGE_S3_BUCKET
              valueFrom:
                configMapKeyRef:
                  name: ceph-bucket-directus
                  key: BUCKET_NAME
            - name: STORAGE_S3_REGION
-              value: us-east-1
+              valueFrom:
                secretKeyRef:
                  name: directus-bucket-garage
                  key: ACCESS_REGION
            - name: STORAGE_S3_BUCKET
              value: directus-assets
            - name: STORAGE_S3_ENDPOINT
-              value: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
+              value: http://garage-main.garage:3900
            - name: STORAGE_S3_FORCE_PATH_STYLE
              value: true
            - name: AUTH_PROVIDERS
@@ -219,7 +219,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 15 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
--- a/clusters/cl01tl/helm/element-web/Chart.lock
+++ b/clusters/cl01tl/helm/element-web/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: element-web
  repository: https://ananace.gitlab.io/charts
-  version: 1.4.31
+  version: 1.4.32
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.4.0
-digest: sha256:5066932d870c4803fca9bc4d7b686793e801d96b14026c299e467d8c107fb7eb
+digest: sha256:49d9dd45eff7cbbc11644e4a8bd3c9d3bf84716ed034a76f097f0ba1fea4c934
-generated: "2026-03-09T22:04:10.470135964Z"
+generated: "2026-03-11T16:04:17.556777286Z"
--- a/clusters/cl01tl/helm/element-web/Chart.yaml
+++ b/clusters/cl01tl/helm/element-web/Chart.yaml
@@ -17,7 +17,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: element-web
-    version: 1.4.31
+    version: 1.4.32
    repository: https://ananace.gitlab.io/charts
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
--- a/clusters/cl01tl/helm/element-web/values.yaml
+++ b/clusters/cl01tl/helm/element-web/values.yaml
@@ -2,7 +2,7 @@ element-web:
  replicaCount: 1
  image:
    repository: vectorim/element-web
-    tag: v1.12.11
+    tag: v1.12.12
    pullPolicy: IfNotPresent
  defaultServer:
    url: https://matrix.alexlebens.dev
--- a/clusters/cl01tl/helm/freshrss/Chart.lock
+++ b/clusters/cl01tl/helm/freshrss/Chart.lock
@@ -7,9 +7,9 @@ dependencies:
  version: 2.4.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:99f1993c99c23ba5b3af6997d859cbb18f26343e424c1312f8b6169f285a3418
+digest: sha256:a7bdbecd50433fedd65d3043102fe3c9e366dc98953c37eb0cfe762bce833e8e
-generated: "2026-03-09T22:04:20.416597531Z"
+generated: "2026-03-15T20:05:14.085780861Z"
--- a/clusters/cl01tl/helm/freshrss/Chart.yaml
+++ b/clusters/cl01tl/helm/freshrss/Chart.yaml
@@ -26,7 +26,7 @@ dependencies:
    version: 2.4.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
--- a/clusters/cl01tl/helm/freshrss/values.yaml
+++ b/clusters/cl01tl/helm/freshrss/values.yaml
@@ -197,7 +197,7 @@ postgres-18-cluster:
  recovery:
    method: objectStore
    objectStore:
-      index: 1
+      index: 2
  backup:
    objectStore:
      - name: garage-local
@@ -222,7 +222,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 20 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
@@ -250,7 +250,8 @@ volsync-target-data:
    enabled: true
    schedule: 18 8 * * *
  remote:
    enabled: false
  external:
    enabled: true
    schedule: 18 9 * * *
  external:
    enabled: true
    schedule: 18 10 * * *
--- a/clusters/cl01tl/helm/garage/templates/service.yaml
+++ b/clusters/cl01tl/helm/garage/templates/service.yaml
@@ -0,0 +1,32 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: garage-main
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: garage-main
    app.kubernetes.io/service: garage-main
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  ports:
    - name: admin
      port: 3903
      protocol: TCP
      targetPort: 3903
    - name: rpc
      port: 3901
      protocol: TCP
      targetPort: 3901
    - name: s3
      port: 3900
      protocol: TCP
      targetPort: 3900
    - name: web
      port: 3902
      protocol: TCP
      targetPort: 3902
  selector:
    app.kubernetes.io/instance: garage
    app.kubernetes.io/name: garage
    garage-type: server
--- a/clusters/cl01tl/helm/garage/values.yaml
+++ b/clusters/cl01tl/helm/garage/values.yaml
@@ -118,9 +118,9 @@ garage:
            pullPolicy: IfNotPresent
          env:
            - name: API_BASE_URL
-              value: http://garage-1.garage:3903
+              value: http://garage-main.garage:3903
            - name: S3_ENDPOINT_URL
-              value: http://garage-1.garage:3900
+              value: http://garage-main.garage:3900
            - name: API_ADMIN_KEY
              valueFrom:
                secretKeyRef:
@@ -225,26 +225,6 @@ garage:
          api_bind_addr = "[::]:3903"
          metrics_require_token = true
  service:
    garage-main:
      forceRename: garage-main
      controller: server-2
      ports:
        s3:
          port: 3900
          targetPort: 3900
          protocol: HTTP
        rpc:
          port: 3901
          targetPort: 3901
          protocol: HTTP
        web:
          port: 3902
          targetPort: 3902
          protocol : HTTP
        admin:
          port: 3903
          targetPort: 3903
          protocol: HTTP
    server-1:
      forceRename: garage-1
      controller: server-1
@@ -322,8 +302,8 @@ garage:
      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
      endpoints:
        - port: admin
-          interval: 1m
+          interval: 5m
-          scrapeTimeout: 30s
+          scrapeTimeout: 2m
          path: /metrics
          bearerTokenSecret:
            name: garage-token-secret
--- a/clusters/cl01tl/helm/gatus/Chart.lock
+++ b/clusters/cl01tl/helm/gatus/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 1.5.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:c0c46db33b89b7a53dd512d19d07623a1eaafcc93668f0afacbb8d8c56d71e47
+digest: sha256:83ec84774e0cc708f1cb5d83d657180159bfb75c9928784ebf0280e224b1cbca
-generated: "2026-03-06T01:07:17.642671539Z"
+generated: "2026-03-15T20:05:27.625292422Z"
--- a/clusters/cl01tl/helm/gatus/Chart.yaml
+++ b/clusters/cl01tl/helm/gatus/Chart.yaml
@@ -22,7 +22,7 @@ dependencies:
    version: 1.5.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
--- a/clusters/cl01tl/helm/gatus/values.yaml
+++ b/clusters/cl01tl/helm/gatus/values.yaml
@@ -137,6 +137,9 @@ gatus:
      - name: yamtrack
        url: https://yamtrack.alexlebens.net
        <<: *defaults
      - name: movie-roulette
        url: https://movie-roulette.alexlebens.net
        <<: *defaults
      - name: jellyfin
        url: https://jellyfin.alexlebens.net
        <<: *defaults
@@ -427,7 +430,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 25 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
@@ -443,9 +446,10 @@ volsync-target-data:
  pvcTarget: gatus
  local:
    enabled: true
-    schedule: 22 8 * * *
+    schedule: 20 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 20 9 * * *
  external:
    enabled: true
-    schedule: 22 9 * * *
+    schedule: 20 10 * * *
--- a/clusters/cl01tl/helm/generic-device-plugin/Chart.lock
+++ b/clusters/cl01tl/helm/generic-device-plugin/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: generic-device-plugin
  repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-  version: 0.20.21
+  version: 0.20.22
-digest: sha256:4f1359a01b8b85722ab1805426a86f3ea64d0134513ce14fe9c55f3f918a21fb
+digest: sha256:14e5aa3f02ce6a1271dadc3f76997c739fc9434e669b05655c079d0b873c56ca
-generated: "2026-03-09T23:02:42.799515974Z"
+generated: "2026-03-15T20:35:40.676997293Z"
--- a/clusters/cl01tl/helm/generic-device-plugin/Chart.yaml
+++ b/clusters/cl01tl/helm/generic-device-plugin/Chart.yaml
@@ -15,6 +15,6 @@ maintainers:
 dependencies:
  - name: generic-device-plugin
    repository: https://gitea.alexlebens.dev/api/packages/alexlebens/helm
-    version: 0.20.21
+    version: 0.20.22
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 appVersion: 1.0.0
--- a/clusters/cl01tl/helm/gitea/Chart.lock
+++ b/clusters/cl01tl/helm/gitea/Chart.lock
@@ -7,13 +7,13 @@ dependencies:
  version: 0.0.3
 - name: meilisearch
  repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.27.0
+  version: 0.28.0
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.4.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
@@ -23,5 +23,5 @@ dependencies:
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:177a591c68e99a6f63f8acaf904cfc444774814db4ccd3ac410be511d67bbf9c
+digest: sha256:238b7653c9d12c4886a56350b6d66217dbe7ecbb76078a846c7cc2c8cb450eb3
-generated: "2026-03-09T23:06:50.110952088Z"
+generated: "2026-03-16T15:56:55.197735783Z"
--- a/clusters/cl01tl/helm/gitea/Chart.yaml
+++ b/clusters/cl01tl/helm/gitea/Chart.yaml
@@ -33,14 +33,14 @@ dependencies:
    repository: https://dl.gitea.com/charts/
    version: 0.0.3
  - name: meilisearch
-    version: 0.27.0
+    version: 0.28.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
    version: 2.4.0
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey-gitea
@@ -56,4 +56,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/gitea.png
 # renovate: datasource=github-releases depName=go-gitea/gitea
-appVersion: 1.25.4
+appVersion: 1.25.5
--- a/clusters/cl01tl/helm/gitea/values.yaml
+++ b/clusters/cl01tl/helm/gitea/values.yaml
@@ -4,7 +4,7 @@ gitea:
  replicaCount: 3
  image:
    repository: gitea/gitea
-    tag: 1.25.4
+    tag: 1.25.5
  service:
    http:
      type: ClusterIP
@@ -57,6 +57,7 @@ gitea:
        ROOT_URL: https://gitea.alexlebens.dev
        LOCAL_ROOT_URL: http://gitea-http.gitea.svc.cluster.local:3000
        START_SSH_SERVER: true
        HTTP_PORT: 3000
        SSH_DOMAIN: gitea.alexlebens.net
        SSH_PORT: 22
        SSH_LISTEN_PORT: 22
@@ -222,7 +223,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 0 7 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
@@ -259,7 +260,7 @@ volsync-target-storage:
    fsGroupChangePolicy: OnRootMismatch
  local:
    enabled: true
-    schedule: 0 0 0 * * *
+    schedule: 0 0 7 * * *
    restic:
      pruneIntervalDays: 3
      retain:
--- a/clusters/cl01tl/helm/grafana-operator/Chart.lock
+++ b/clusters/cl01tl/helm/grafana-operator/Chart.lock
@@ -1,15 +1,15 @@
 dependencies:
 - name: grafana-operator
  repository: https://grafana.github.io/helm-charts
-  version: 5.22.0
+  version: 5.22.1
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:6f4dc1456854cad04f387cef6e0a9c846e76eb811bf97f2b7b13877cb3f577bd
+digest: sha256:9cbba52d093e40b20917af87263e1fb0e478912440f660543f3527e70452edc7
-generated: "2026-03-09T23:07:06.293890171Z"
+generated: "2026-03-15T20:05:59.855514102Z"
--- a/clusters/cl01tl/helm/grafana-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/Chart.yaml
@@ -17,11 +17,11 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: grafana-operator
-    version: 5.22.0
+    version: 5.22.1
    repository: https://grafana.github.io/helm-charts
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey-unified-alerting
@@ -33,4 +33,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/grafana.png
 # renovate: datasource=github-releases depName=grafana/grafana-operator
-appVersion: v5.22.0
+appVersion: v5.22.1
--- a/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml
@@ -358,6 +358,25 @@ spec:
  resyncPeriod: 1h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/traefik.json
 ---
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDashboard
 metadata:
  name: grafana-dashboard-tdarr
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-dashboard-tdarr
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  instanceSelector:
    matchLabels:
      app: grafana-main
  contentCacheDuration: 1h
  folderUID: grafana-folder-service
  resyncPeriod: 1h
  url: http://gitea-http.gitea:3000/alexlebens/grafana-dashboards/raw/branch/main/dashboards/service/tdarr.json
 ---
 apiVersion: grafana.integreatly.org/v1beta1
 kind: GrafanaDashboard
--- a/clusters/cl01tl/helm/grafana-operator/values.yaml
+++ b/clusters/cl01tl/helm/grafana-operator/values.yaml
@@ -42,7 +42,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 30 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
--- a/clusters/cl01tl/helm/harbor/Chart.lock
+++ b/clusters/cl01tl/helm/harbor/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 1.18.2
 - name: postgres-cluster
  repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:ee8ed34cd53d8fa36497df28cba9cf16ef656250b0bc3ff6690fb958b22caf6f
+digest: sha256:14c2b7d09631dbb573e9c9d4613ebe52e330146662da0da15f74c31ec519ed15
-generated: "2026-03-09T23:07:20.650108569Z"
+generated: "2026-03-15T20:06:13.615175051Z"
--- a/clusters/cl01tl/helm/harbor/Chart.yaml
+++ b/clusters/cl01tl/helm/harbor/Chart.yaml
@@ -21,7 +21,7 @@ dependencies:
    repository: https://helm.goharbor.io
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: https://gitea.alexlebens.net/api/packages/alexlebens/helm
  - name: valkey
    alias: valkey
@@ -29,4 +29,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/harbor.png
 # renovate: datasource=github-releases depName=goharbor/harbor
-appVersion: v2.14.2
+appVersion: v2.14.3
--- a/clusters/cl01tl/helm/harbor/values.yaml
+++ b/clusters/cl01tl/helm/harbor/values.yaml
@@ -41,12 +41,12 @@ harbor:
  portal:
    image:
      repository: goharbor/harbor-portal
-      tag: v2.14.2
+      tag: v2.14.3
    replicas: 2
  core:
    image:
      repository: goharbor/harbor-core
-      tag: v2.14.2
+      tag: v2.14.3
    replicas: 2
    existingSecret: harbor-secret
    secretName: harbor-secret
@@ -54,7 +54,7 @@ harbor:
  jobservice:
    image:
      repository: goharbor/harbor-jobservice
-      tag: v2.14.2
+      tag: v2.14.3
    replicas: 2
    jobLoggers:
      - stdout
@@ -63,11 +63,11 @@ harbor:
    registry:
      image:
        repository: goharbor/registry-photon
-        tag: v2.14.2
+        tag: v2.14.3
    controller:
      image:
        repository: goharbor/harbor-registryctl
-        tag: v2.14.2
+        tag: v2.14.3
    existingSecret: harbor-secret
    relativeurls: true
    credentials:
@@ -94,14 +94,14 @@ harbor:
  exporter:
    image:
      repository: goharbor/harbor-exporter
-      tag: v2.14.2
+      tag: v2.14.3
    replicas: 2
 postgres-18-cluster:
  mode: recovery
  recovery:
    method: objectStore
    objectStore:
-      index: 1
+      index: 2
  backup:
    objectStore:
      - name: garage-local
@@ -126,7 +126,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 35 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
--- a/clusters/cl01tl/helm/headlamp/Chart.lock
+++ b/clusters/cl01tl/helm/headlamp/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: headlamp
  repository: https://kubernetes-sigs.github.io/headlamp/
-  version: 0.40.0
+  version: 0.40.1
-digest: sha256:b7f8f176f8c4902130e87660adb39211fd5ca454f89f5a7e9ed577cd4c3a2255
+digest: sha256:723a57d6fe86a124b8bae7dfc1dde0c2abd60021837826b486054df00551dc03
-generated: "2026-02-05T18:23:45.100522813Z"
+generated: "2026-03-14T15:02:53.184950913Z"
--- a/clusters/cl01tl/helm/headlamp/Chart.yaml
+++ b/clusters/cl01tl/helm/headlamp/Chart.yaml
@@ -14,7 +14,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: headlamp
-    version: 0.40.0
+    version: 0.40.1
    repository: https://kubernetes-sigs.github.io/headlamp/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/headlamp.png
 # renovate: datasource=github-releases depName=headlamp-k8s/headlamp
--- a/clusters/cl01tl/helm/headlamp/values.yaml
+++ b/clusters/cl01tl/helm/headlamp/values.yaml
@@ -8,6 +8,8 @@ headlamp:
        enabled: true
        name: headlamp-oidc-secret
    watchPlugins: true
    # Bypasses: https://github.com/kubernetes-sigs/headlamp/issues/4883
    sessionTTL: null
  resources:
    requests:
      cpu: 10m
--- a/clusters/cl01tl/helm/home-assistant/values.yaml
+++ b/clusters/cl01tl/helm/home-assistant/values.yaml
@@ -21,7 +21,7 @@ home-assistant:
        code-server:
          image:
            repository: ghcr.io/linuxserver/code-server
-            tag: 4.110.0@sha256:8473aa16fba93fccc3ca772173d095bccd2e44d4d3104467fee923df10d57cd2
+            tag: 4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -134,9 +134,10 @@ volsync-target-config:
    fsGroupChangePolicy: OnRootMismatch
  local:
    enabled: true
-    schedule: 24 8 * * *
+    schedule: 22 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 22 9 * * *
  external:
    enabled: true
-    schedule: 24 9 * * *
+    schedule: 22 10 * * *
--- a/clusters/cl01tl/helm/homepage/Chart.yaml
+++ b/clusters/cl01tl/helm/homepage/Chart.yaml
@@ -19,4 +19,4 @@ dependencies:
    version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
 # renovate: datasource=github-releases depName=gethomepage/homepage
-appVersion: v1.10.1
+appVersion: v1.11.0
--- a/clusters/cl01tl/helm/homepage/values.yaml
+++ b/clusters/cl01tl/helm/homepage/values.yaml
@@ -16,7 +16,7 @@ homepage:
        main:
          image:
            repository: ghcr.io/gethomepage/homepage
-            tag: v1.10.1
+            tag: v1.11.0
            pullPolicy: IfNotPresent
          env:
            - name: HOMEPAGE_ALLOWED_HOSTS
@@ -160,6 +160,12 @@ homepage:
                  href: https://yamtrack.alexlebens.net
                  siteMonitor: http://yamtrack.yamtrack:80
                  statusStyle: dot
              - Movie Roulette:
                  icon: https://raw.githubusercontent.com/sahara101/Movie-Roulette/refs/heads/main/static/icons/icon.png
                  description: Movie Roulette
                  href: https://movie-roulette.alexlebens.net
                  siteMonitor: http://movie-roulette.movie-roulette:80
                  statusStyle: dot
              - Movies and TV:
                  icon: sh-jellyfin.webp
                  description: Jellyfin
--- a/clusters/cl01tl/helm/immich/Chart.lock
+++ b/clusters/cl01tl/helm/immich/Chart.lock
@@ -4,12 +4,12 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:360f79209535cd9132b7db774aabd6492c2c287e62f00795e5f4ae4cc6a038c0
+digest: sha256:b79ea8c506f0172deed820247a33c79329f34426435c8b5eb27b206ac8831b13
-generated: "2026-03-09T23:07:40.320287247Z"
+generated: "2026-03-15T20:06:27.091094433Z"
--- a/clusters/cl01tl/helm/immich/Chart.yaml
+++ b/clusters/cl01tl/helm/immich/Chart.yaml
@@ -20,7 +20,7 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey
--- a/clusters/cl01tl/helm/immich/values.yaml
+++ b/clusters/cl01tl/helm/immich/values.yaml
@@ -209,7 +209,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 40 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
@@ -225,16 +225,16 @@ volsync-target-data:
  pvcTarget: immich
  local:
    enabled: true
-    schedule: 28 8 * * *
+    schedule: 24 8 * * *
    restic:
      cacheCapacity: 10Gi
  remote:
    enabled: true
-    schedule: 28 10 * * *
+    schedule: 24 9 * * *
    restic:
      cacheCapacity: 10Gi
  external:
    enabled: true
-    schedule: 28 9 * * *
+    schedule: 24 10 * * *
    restic:
      cacheCapacity: 10Gi
--- a/clusters/cl01tl/helm/jellyfin/Chart.lock
+++ b/clusters/cl01tl/helm/jellyfin/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: meilisearch
  repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.27.0
+  version: 0.28.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:ca384647a640ae717ac874a2627f00ac9a1e5c97ff5eeb8f326ebdd471ab1623
+digest: sha256:57b007c6e19dda1300f5025332d9e8104bfb9a50cd7124260bfa68ce2432628b
-generated: "2026-03-09T15:04:08.648165537Z"
+generated: "2026-03-16T15:57:13.466372254Z"
--- a/clusters/cl01tl/helm/jellyfin/Chart.yaml
+++ b/clusters/cl01tl/helm/jellyfin/Chart.yaml
@@ -25,7 +25,7 @@ dependencies:
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: meilisearch
-    version: 0.27.0
+    version: 0.28.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: volsync-target
    alias: volsync-target-config
--- a/clusters/cl01tl/helm/jellyfin/values.yaml
+++ b/clusters/cl01tl/helm/jellyfin/values.yaml
@@ -143,14 +143,16 @@ volsync-target-config:
  pvcTarget: jellyfin-config
  local:
    enabled: true
-    schedule: 30 8 * * *
+    schedule: 26 8 * * *
    restic:
      cacheCapacity: 10Gi
  remote:
    enabled: true
    schedule: 26 9 * * *
    restic:
      cacheCapacity: 10Gi
  external:
    enabled: true
-    schedule: 30 9 * * *
+    schedule: 26 10 * * *
    restic:
      cacheCapacity: 10Gi
--- a/clusters/cl01tl/helm/jellystat/Chart.lock
+++ b/clusters/cl01tl/helm/jellystat/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:0f8868c6e89c0f283650db5446e8f36f162cb2179f62eb58e67b5b08c03ac84d
+digest: sha256:f779185ce82045b47fc75bf95c4a8215acbd387f44a4bdb764486406d9b03748
-generated: "2026-03-06T01:09:37.09922161Z"
+generated: "2026-03-15T20:06:38.720993367Z"
--- a/clusters/cl01tl/helm/jellystat/Chart.yaml
+++ b/clusters/cl01tl/helm/jellystat/Chart.yaml
@@ -21,7 +21,7 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-data
--- a/clusters/cl01tl/helm/jellystat/values.yaml
+++ b/clusters/cl01tl/helm/jellystat/values.yaml
@@ -129,7 +129,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 45 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
@@ -145,9 +145,10 @@ volsync-target-data:
  pvcTarget: jellystat-data
  local:
    enabled: true
-    schedule: 32 8 * * *
+    schedule: 28 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 28 9 * * *
  external:
    enabled: true
-    schedule: 32 9 * * *
+    schedule: 28 10 * * *
--- a/clusters/cl01tl/helm/karakeep/Chart.lock
+++ b/clusters/cl01tl/helm/karakeep/Chart.lock
@@ -4,12 +4,12 @@ dependencies:
  version: 4.6.2
 - name: meilisearch
  repository: https://meilisearch.github.io/meilisearch-kubernetes
-  version: 0.27.0
+  version: 0.28.0
 - name: cloudflared
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 2.4.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:75f92316d4b6229d00e3dfa39ed5026ad39a28f833321cd3887a2048cdac34c7
+digest: sha256:49e37e17dc859927048c6474ce27cb063a020f291d6d2d24876d0427eddc3656
-generated: "2026-03-09T22:04:48.630821646Z"
+generated: "2026-03-16T15:57:28.156797159Z"
--- a/clusters/cl01tl/helm/karakeep/Chart.yaml
+++ b/clusters/cl01tl/helm/karakeep/Chart.yaml
@@ -22,7 +22,7 @@ dependencies:
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
  - name: meilisearch
-    version: 0.27.0
+    version: 0.28.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: cloudflared
    repository: oci://harbor.alexlebens.net/helm-charts
--- a/clusters/cl01tl/helm/karakeep/templates/external-secret.yaml
+++ b/clusters/cl01tl/helm/karakeep/templates/external-secret.yaml
@@ -57,6 +57,43 @@ spec:
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: karakeep-bucket-garage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: karakeep-bucket-garage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/karakeep-assets
        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/karakeep-assets
        metadataPolicy: None
        property: ACCESS_SECRET_KEY
    - secretKey: ACCESS_REGION
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /garage/home-infra/karakeep-assets
        metadataPolicy: None
        property: ACCESS_REGION
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
--- a/clusters/cl01tl/helm/karakeep/templates/object-bucket-claim.yaml
+++ b/clusters/cl01tl/helm/karakeep/templates/object-bucket-claim.yaml
@@ -1,11 +0,0 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
  name: ceph-bucket-karakeep
  labels:
    app.kubernetes.io/name: ceph-bucket-karakeep
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  generateBucketName: bucket-karakeep
  storageClassName: ceph-bucket
--- a/clusters/cl01tl/helm/karakeep/values.yaml
+++ b/clusters/cl01tl/helm/karakeep/values.yaml
@@ -29,24 +29,24 @@ karakeep:
                  name: karakeep-key-secret
                  key: prometheus-token
            - name: ASSET_STORE_S3_ENDPOINT
-              value: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
+              value: http://garage-main.garage:3900
            - name: ASSET_STORE_S3_REGION
              value: us-east-1
            - name: ASSET_STORE_S3_BUCKET
              valueFrom:
-                configMapKeyRef:
+                secretKeyRef:
-                  name: ceph-bucket-karakeep
+                  name: karakeep-bucket-garage
-                  key: BUCKET_NAME
+                  key: ACCESS_REGION
            - name: ASSET_STORE_S3_BUCKET
              value: karakeep-assets
            - name: ASSET_STORE_S3_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
-                  name: ceph-bucket-karakeep
+                  name: karakeep-bucket-garage
-                  key: AWS_ACCESS_KEY_ID
+                  key: ACCESS_KEY_ID
            - name: ASSET_STORE_S3_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
-                  name: ceph-bucket-karakeep
+                  name: karakeep-bucket-garage
-                  key: AWS_SECRET_ACCESS_KEY
+                  key: ACCESS_SECRET_KEY
            - name: ASSET_STORE_S3_FORCE_PATH_STYLE
              value: true
            - name: MEILI_ADDR
@@ -172,9 +172,10 @@ volsync-target-data:
  pvcTarget: karakeep
  local:
    enabled: true
-    schedule: 34 8 * * *
+    schedule: 30 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 30 9 * * *
  external:
    enabled: true
-    schedule: 34 9 * * *
+    schedule: 30 10 * * *
--- a/clusters/cl01tl/helm/komodo/Chart.lock
+++ b/clusters/cl01tl/helm/komodo/Chart.lock
@@ -4,6 +4,6 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
-digest: sha256:dd1ccfe8d0bfc7248141d2f72806c6437572f21d818941e9071f58d1a0a47259
+digest: sha256:a6f33512d929c5a1b70bde6c3294902f5d707855aabbaa815f32e23aa54b266f
-generated: "2026-02-27T18:17:12.586352018Z"
+generated: "2026-03-15T20:06:49.233053802Z"
--- a/clusters/cl01tl/helm/komodo/Chart.yaml
+++ b/clusters/cl01tl/helm/komodo/Chart.yaml
@@ -23,7 +23,7 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgresql-17-fdb-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/komodo.png
 # renovate: datasource=github-releases depName=moghtech/komodo
--- a/clusters/cl01tl/helm/komodo/values.yaml
+++ b/clusters/cl01tl/helm/komodo/values.yaml
@@ -205,7 +205,7 @@ postgresql-17-fdb-cluster:
  recovery:
    method: objectStore
    objectStore:
-      index: 1
+      index: 2
  backup:
    objectStore:
      - name: garage-local
@@ -230,7 +230,7 @@ postgresql-17-fdb-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 50 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: kube-prometheus-stack
  repository: oci://ghcr.io/prometheus-community/charts
-  version: 82.10.2
+  version: 82.10.4
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
-digest: sha256:9019f0e0bcbe5033457c9d402590b51a1b27e2e6141bfd5d84b9b30a5f666c98
+digest: sha256:d6bbbfdd1a781b5eb82c2dc8571836a43d23bf8526eac1bcd40f38030be642db
-generated: "2026-03-09T23:07:53.50141436Z"
+generated: "2026-03-15T20:38:11.961621853Z"
--- a/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
+++ b/clusters/cl01tl/helm/kube-prometheus-stack/Chart.yaml
@@ -20,7 +20,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: kube-prometheus-stack
-    version: 82.10.2
+    version: 82.10.4
    repository: oci://ghcr.io/prometheus-community/charts
  - name: app-template
    alias: ntfy-alertmanager
--- a/clusters/cl01tl/helm/libation/Chart.yaml
+++ b/clusters/cl01tl/helm/libation/Chart.yaml
@@ -24,4 +24,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/libation.png
 # renovate: datasource=github-releases depName=rmcrackan/Libation
-appVersion: 13.2.1
+appVersion: 13.3.0
--- a/clusters/cl01tl/helm/libation/values.yaml
+++ b/clusters/cl01tl/helm/libation/values.yaml
@@ -16,7 +16,7 @@ libation:
        main:
          image:
            repository: rmcrackan/libation
-            tag: 13.2.1
+            tag: 13.3.0
            pullPolicy: IfNotPresent
          env:
            - name: SLEEP_TIME
@@ -75,9 +75,10 @@ volsync-target-config:
  pvcTarget: libation
  local:
    enabled: true
-    schedule: 36 8 * * *
+    schedule: 32 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 32 9 * * *
  external:
    enabled: true
-    schedule: 36 9 * * *
+    schedule: 32 10 * * *
--- a/clusters/cl01tl/helm/lidarr/Chart.lock
+++ b/clusters/cl01tl/helm/lidarr/Chart.lock
@@ -4,9 +4,9 @@ dependencies:
  version: 4.6.2
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:4511a3475316ebf0bd5da452e69602b7d52746253c659a433e61851f51093285
+digest: sha256:0f1a2923a7042b364a817edc64729d5e1c18b0552555c035d974de626f372692
-generated: "2026-03-06T01:10:55.882802086Z"
+generated: "2026-03-15T20:07:00.750754951Z"
--- a/clusters/cl01tl/helm/lidarr/Chart.yaml
+++ b/clusters/cl01tl/helm/lidarr/Chart.yaml
@@ -24,7 +24,7 @@ dependencies:
    version: 4.6.2
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: volsync-target
    alias: volsync-target-config
--- a/clusters/cl01tl/helm/lidarr/values.yaml
+++ b/clusters/cl01tl/helm/lidarr/values.yaml
@@ -15,7 +15,7 @@ lidarr:
        main:
          image:
            repository: ghcr.io/linuxserver/lidarr
-            tag: 3.1.2-nightly@sha256:f64fabd1737d9c7d519e1a37aba97b2e110d717e1c497a6f9788766f9633cf8f
+            tag: 3.1.2-nightly@sha256:2b1b64f07214c6cf05bcfed999aa74ee23825e4bc2ef2c48aba1cd5d5bf968fe
            pullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -167,7 +167,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 55 14 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
@@ -188,9 +188,10 @@ volsync-target-config:
    fsGroupChangePolicy: OnRootMismatch
  local:
    enabled: true
-    schedule: 38 8 * * *
+    schedule: 34 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 34 9 * * *
  external:
    enabled: true
-    schedule: 38 9 * * *
+    schedule: 34 10 * * *
--- a/clusters/cl01tl/helm/loki/Chart.lock
+++ b/clusters/cl01tl/helm/loki/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: loki
  repository: https://grafana.github.io/helm-charts
-  version: 6.53.0
+  version: 6.55.0
 - name: alloy
  repository: https://grafana.github.io/helm-charts
  version: 1.6.2
-digest: sha256:88b8ace6bcbcbff4b04727499705fbe94de7fe4b8f0b8aa254a1e7d1d2c65fac
+digest: sha256:463184dc134143723f8567a1ebd228353cf0253a139f0a4e76637ec65aa4aaf1
-generated: "2026-03-10T18:56:19.38475079Z"
+generated: "2026-03-14T18:16:47.779817047Z"
--- a/clusters/cl01tl/helm/loki/Chart.yaml
+++ b/clusters/cl01tl/helm/loki/Chart.yaml
@@ -16,7 +16,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: loki
-    version: 6.53.0
+    version: 6.55.0
    repository: https://grafana.github.io/helm-charts
  - name: alloy
    version: 1.6.2
--- a/clusters/cl01tl/helm/mariadb-operator/Chart.lock
+++ b/clusters/cl01tl/helm/mariadb-operator/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: mariadb-operator
  repository: https://helm.mariadb.com/mariadb-operator
-  version: 25.10.4
+  version: 26.3.0
 - name: mariadb-operator-crds
  repository: https://helm.mariadb.com/mariadb-operator
-  version: 25.10.4
+  version: 26.3.0
-digest: sha256:fcb4433060885746dd43a5fb4d8b32163d50d97dc4614fbf4c82f966a1723304
+digest: sha256:95f9484c385d08f9b15f55cbb0f8d82c55b8c1a055a4c7697335d4ca51c35d7e
-generated: "2026-01-08T21:21:13.446114122Z"
+generated: "2026-03-14T23:23:02.743862932Z"
--- a/clusters/cl01tl/helm/mariadb-operator/Chart.yaml
+++ b/clusters/cl01tl/helm/mariadb-operator/Chart.yaml
@@ -15,11 +15,11 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: mariadb-operator
-    version: 25.10.4
+    version: 26.3.0
    repository: https://helm.mariadb.com/mariadb-operator
  - name: mariadb-operator-crds
-    version: 25.10.4
+    version: 26.3.0
    repository: https://helm.mariadb.com/mariadb-operator
 icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb_profile.svg
 # renovate: datasource=github-releases depName=mariadb-operator/mariadb-operator
-appVersion: 25.10.4
+appVersion: 26.3.0
--- a/clusters/cl01tl/helm/matrix-synapse/Chart.lock
+++ b/clusters/cl01tl/helm/matrix-synapse/Chart.lock
@@ -1,7 +1,7 @@
 dependencies:
 - name: matrix-synapse
  repository: https://ananace.gitlab.io/charts
-  version: 3.12.22
+  version: 3.12.23
 - name: app-template
  repository: https://bjw-s-labs.github.io/helm-charts/
  version: 4.6.2
@@ -19,7 +19,7 @@ dependencies:
  version: 2.4.0
 - name: postgres-cluster
  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.8.0
+  version: 7.10.0
 - name: valkey
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.4.0
@@ -38,5 +38,5 @@ dependencies:
 - name: volsync-target
  repository: oci://harbor.alexlebens.net/helm-charts
  version: 0.8.0
-digest: sha256:fc6e3a04b828daf3a0861aec6a7a6d1c9a45fabaf29abd3fb3be2e8db4d0875b
+digest: sha256:1578e2c48447f217e72bffb3afcb6f1f15c427a4acce5dbca830cdd7045b1348
-generated: "2026-03-09T23:08:07.610958823Z"
+generated: "2026-03-15T20:07:12.751000922Z"
--- a/clusters/cl01tl/helm/matrix-synapse/Chart.yaml
+++ b/clusters/cl01tl/helm/matrix-synapse/Chart.yaml
@@ -29,7 +29,7 @@ maintainers:
  - name: alexlebens
 dependencies:
  - name: matrix-synapse
-    version: 3.12.22
+    version: 3.12.23
    repository: https://ananace.gitlab.io/charts
  - name: app-template
    alias: matrix-hookshot
@@ -53,7 +53,7 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: postgres-cluster
    alias: postgres-18-cluster
-    version: 7.8.0
+    version: 7.10.0
    repository: oci://harbor.alexlebens.net/helm-charts
  - name: valkey
    alias: valkey-matrix-synapse
@@ -81,4 +81,4 @@ dependencies:
    repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/matrix.png
 # renovate: datasource=github-releases depName=element-hq/synapse
-appVersion: v1.149.0
+appVersion: v1.149.1
--- a/clusters/cl01tl/helm/matrix-synapse/values.yaml
+++ b/clusters/cl01tl/helm/matrix-synapse/values.yaml
@@ -434,7 +434,7 @@ postgres-18-cluster:
      - name: live-backup
        suspend: false
        immediate: true
-        schedule: "0 0 0 * * *"
+        schedule: "0 0 15 * * *"
        backupName: garage-local
      # - name: weekly-backup
      #   suspend: true
@@ -470,22 +470,24 @@ volsync-target-synapse:
  pvcTarget: matrix-synapse
  local:
    enabled: true
-    schedule: 44 8 * * *
+    schedule: 36 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 36 9 * * *
  external:
    enabled: true
-    schedule: 44 9 * * *
+    schedule: 36 10 * * *
 volsync-target-hookshot:
  pvcTarget: matrix-hookshot
  local:
    enabled: true
-    schedule: 46 8 * * *
+    schedule: 38 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 38 9 * * *
  external:
    enabled: true
-    schedule: 46 9 * * *
+    schedule: 38 10 * * *
 volsync-target-discord:
  pvcTarget: mautrix-discord
  moverSecurityContext:
@@ -493,12 +495,13 @@ volsync-target-discord:
    runAsGroup: 1337
  local:
    enabled: true
-    schedule: 48 8 * * *
+    schedule: 40 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 40 9 * * *
  external:
    enabled: true
-    schedule: 48 9 * * *
+    schedule: 40 10 * * *
 volsync-target-whatsapp:
  pvcTarget: mautrix-whatsapp
  moverSecurityContext:
@@ -506,9 +509,10 @@ volsync-target-whatsapp:
    runAsGroup: 1337
  local:
    enabled: true
-    schedule: 50 8 * * *
+    schedule: 42 8 * * *
  remote:
-    enabled: false
+    enabled: true
    schedule: 42 9 * * *
  external:
    enabled: true
-    schedule: 50 9 * * *
+    schedule: 42 10 * * *
--- a/Show More
+++ b/Show More